Skip to main content

Camaleon CMS CVE-2026-10715

| EUVDEUVD-2026-36536 MEDIUM
Missing Authorization (CWE-862)
2026-06-12 Fluid Attacks GHSA-vg43-9r8m-q2cc
5.1
CVSS 4.0 · Vendor: Fluid Attacks
Share

Severity by source

Vendor (Fluid Attacks) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.5 LOW

Low-privilege authentication required to reach the admin endpoint; only a peer user's draft integrity is impacted, with no confidentiality or availability effects.

3.1 AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Fluid Attacks).

CVSS VectorVendor: Fluid Attacks

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 12, 2026 - 19:31 vuln.today

DescriptionCVE.org

Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.

AnalysisAI

Improper authorization in Camaleon CMS 2.9.2 allows any low-privileged authenticated user to overwrite draft content belonging to other users by supplying an arbitrary post_id to the administrator draft autosave endpoint. The application authenticates the requesting user but performs no ownership check, meaning a contributor or editor can silently corrupt unpublished drafts they do not own. No public exploit code has been identified at time of analysis, and active exploitation has not been confirmed by CISA KEV.

Technical ContextAI

Camaleon CMS is a Ruby on Rails-based content management system. The flaw resides in the draft autosave endpoint at POST /admin/post_type/<POST_TYPE_ID>/drafts, which accepts a client-supplied post_id parameter without verifying that the authenticated user owns or is authorized to modify the referenced post. This is a textbook CWE-862 (Missing Authorization) instance: the application correctly authenticates the user but omits the object-level authorization check needed to confirm resource ownership before performing the write operation. The CPE string cpe:2.3:a:camaleon_cms:camaleon_cms:*:*:*:*:*:*:*:* uses a wildcard version range, indicating the NVD has not bounded the vulnerable range beyond 2.9.2.

RemediationAI

No vendor-released patched version has been independently confirmed at time of analysis; the fix status and any tagged release should be verified directly against the upstream repository at https://github.com/owen2345/camaleon-cms and the Fluid Attacks advisory at https://fluidattacks.com/es/advisories/billie. As a compensating control, restrict access to the /admin/post_type/*/drafts endpoint to only the most trusted user roles via application-level role checks or a reverse-proxy ACL, reducing the attacker pool from all authenticated users to administrators. Additionally, implement object-level authorization validation in the autosave action to confirm that the supplied post_id is owned by or explicitly shared with the requesting user before processing the write - this is the root cause fix regardless of patch availability. The trade-off of role restriction is reduced functionality for legitimate lower-privileged authors who rely on autosave.

CVE-2024-46986 CRITICAL POC
9.9 Sep 18

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. Rated critical severity (CVSS 9

CVE-2023-30145 CRITICAL POC
9.8 May 26

Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats para

CVE-2024-46987 HIGH POC
7.7 Sep 18

Camaleon CMS is a dynamic and advanced content management system based on Ruby on Rails. Rated high severity (CVSS 7.7),

CVE-2024-48652 MEDIUM POC
4.8 Oct 22

Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the cont

CVE-2021-25970 HIGH
8.8 Oct 20

Camaleon CMS 0.1.7 to 2.6.0 doesn’t terminate the active session of the users, even after the admin changes the user’s p

CVE-2021-25969 MEDIUM
6.1 Oct 20

In Camaleon CMS application, versions 0.0.1 to 2.6.0 are vulnerable to stored XSS, that allows an unauthenticated attack

CVE-2018-18260 MEDIUM
6.1 Oct 15

In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. Rated medium severity (CVSS 6.1), this vulnerability

CVE-2026-1776 MEDIUM
6.0 Mar 10

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS

CVE-2021-25972 MEDIUM
4.9 Oct 20

In Camaleon CMS, versions 2.1.2.0 to 2.6.0, are vulnerable to Server-Side Request Forgery (SSRF) in the media upload fea

CVE-2021-25971 MEDIUM
4.3 Oct 20

In Camaleon CMS, versions 2.0.1 to 2.6.0 are vulnerable to an Uncaught Exception. Rated medium severity (CVSS 4.3), this

Share

CVE-2026-10715 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy