DescriptionBlueWave Checkmate versions up to and including 2.0.2, prior to commit b387eba, contain an improper authorization vulnerability in the user profile update (“edit user”) functionality. A low-privileged user can tamper with the profile edit request to include a role attribute and thereby assign themselves elevated permissions, because the application accepts role changes from client-supplied request data rather than restricting role assignment to authorized server-side logic.