Pacemaker before 1.1.13 does not properly evaluate added nodes, which allows remote read-only users to gain privileges via an acl command. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1867