Skip to main content

Collabora Online CVE-2026-23623

MEDIUM
Improper Authorization (CWE-285)
2026-02-06 security-advisories@github.com
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Feb 06, 2026 - 00:15 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user with view-only rights and no download privileges can obtain a local copy of a shared file. Although there are no corresponding buttons in the interface, pressing Ctrl+Shift+S initiates the file download process. This allows the user to bypass the access restrictions and leads to unauthorized data retrieval. This issue has been patched in Collabora Online Development Edition version 25.04.08.2 and Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5.

AnalysisAI

Collabora Online is a collaborative online office suite based on LibreOffice technology. [CVSS 5.3 MEDIUM]

Technical ContextAI

Classified as CWE-285 (Improper Authorization). Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user with view-only rights and no download privileges can obtain a local copy of a shared file. Although there are no corresponding buttons in the interface, pressing Ctrl+Shift+S initiates the file download process. This allows the user to bypass the access restric

Affected ProductsAI

Component: the.

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Share

CVE-2026-23623 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy