Skip to content

Privilege escalation issue in the Identity management module #24768

New issue
New issue
Open
#24775
Open
Privilege escalation issue in the Identity management module#24768
#24775
Assignees
maliming
Labels
abp-module-identityabp-module-permission-managementbugeffort-sm
Milestone
10.2-preview
@emisand

Description

@emisand
emisand
opened on Jan 28, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Description

When working with the Identity Management Module and creating multiple different roles, with tiered access levels, there's no way of limiting less privileged users of creating/modifying users with admin or higher privileges.

I can have the admin role with all the permissions (as provided by default) and then a different role with restricted permissions, but with permissions to create users and assign roles, users with that specific role are allowed to change their role to Admin or create a new Admin user without any restriction.

There should be a way of configuring what roles and users are assignable from each existing role.

Reproduction Steps

  1. Have the default Admin role
  2. Create a Manager role with less privileges, but with the User Management - Edit - Manage roles permission
  3. Create an user with the newly created Manager role
  4. Login and edit the same manager user adding the Admin role to that user
  5. You end up in a privilege escalation situation

Expected behavior

  1. Have the default Admin role
  2. Create a Manager role with less privileges, but with the User Management - Edit - Manage roles permission
  3. Configure the Manager role checking which roles are assignable from that role, leaving the Admin role unchecked
  4. Create an user with the newly created Manager role
  5. Login with that new manager user and try to edit roles
  6. You will not be able of assigning the Admin role to that user, only the authorized roles.

Actual behavior

Actual behavior doesn't validate which roles are allowed to be assigned from a current user with a specific role.

Regression?

No response

Known Workarounds

Implementing a custom IdentityUserAppService that overrides the original one with added allowed Roles validation.
Implementing a custom entity action contributor for the User entity so the UI can reflect those restrictions.

Version

10.0.2

User Interface

Angular

Database Provider

EF Core (Default)

Tiered or separate authentication server

None (Default)

Operation System

Windows (Default)

Other information

No response

Metadata

Metadata

Assignees

Labels

abp-module-identityabp-module-permission-managementbugeffort-sm

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions