Pelican Web UI Affected by a Privilege Escalation Attack
Background On April 2nd, 2026, a Claude coding agent alerted Pelican PI Brian Bockelman to a privilege escalation vulnerability affecting Pelican's Web User Interface (WebUI) for various versions between v7.21 and v7.24. Upon further investigation, the Pelican team discovered this attack allows any user authenticated to the WebUI via OAuth to gain admin privileges under certain configurations. These may include servers with the following configuration variables enabled: Server.UIAdminUsers: Affected if …