CVE-2022-38577

HIGH

ProcessMaker <3.5.4 - Privilege Escalation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-38577. PoCs published by sornram9254.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2022-38577, a privilege escalation vulnerability in ProcessMaker. The exploit allows a normal user to escalate their privileges to Administrator by manipulating role permissions via insecure API endpoints.

Description

ProcessMaker before v3.5.4 was discovered to contain insecure permissions in the user profile page. This vulnerability allows attackers to escalate normal users to Administrators.

Exploits (1)

nomisec WORKING POC 3 stars
by sornram9254 · poc
https://github.com/sornram9254/CVE-2022-38577-Processmaker

This repository contains a functional Python script that exploits CVE-2022-38577, a privilege escalation vulnerability in ProcessMaker. The exploit allows a normal user to escalate their privileges to Administrator by manipulating role permissions via insecure API endpoints.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: ProcessMaker before v3.5.4 (tested on 2.5.0, 2.5.2, 3.0 GA, and 3.2.1)
Auth required
Prerequisites: Valid user credentials · Access to the ProcessMaker application
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (3)

Core 3
Core References
Product x_refsource_misc
http://processmaker.com
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/168427/ProcessMaker-Privilege-Escalation.html

Scores

CVSS v3 8.8
EPSS 0.0162
EPSS Percentile 72.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-281
Status published
Products (1)
processmaker/processmaker < 3.5.4
Published Sep 19, 2022
Tracked Since Feb 18, 2026