Skip to main content

R-SOFT DMS CVE-2026-41878

| EUVDEUVD-2026-42856 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-10 cvd@cert.pl GHSA-m5fr-qm38-x8f3
7.1
CVSS 4.0 · Vendor: cert
Share

Severity by source

Vendor (cert) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Network-reachable download endpoint (AV:N/AC:L), requires any authenticated account (PR:L), no user interaction; discloses other users' files (C:H) with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (cert).

CVSS VectorVendor: cert

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 10, 2026 - 10:34 vuln.today

DescriptionCVE.org

R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file.

This issue was fixed in version v3.19-2862 and v3.17-2580.

AnalysisAI

Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid low-privilege session
Delivery
Call file-download endpoint with own file ID
Exploit
Increment/substitute object ID
Execution
Server skips ownership check, returns file
Impact
Enumerate IDs to bulk-exfiltrate documents

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session of any privilege level (PR:L) - an insider account, compromised credentials, or a self-registered account where registration is open - after which no further special configuration is needed because the vulnerable behavior is the default in all pre-fix versions. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H) indicates a network-reachable, low-complexity attack requiring only low-privilege authenticated access, with high confidentiality impact and no integrity or availability impact - consistent with mass document exfiltration by any valid account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privilege employee (or an attacker using one stolen/self-registered account) logs into R-SOFT DMS and requests a file download, then simply increments or substitutes the file ID parameter in the URL. Because the server only verifies the session and not file ownership, it returns documents belonging to other users, and the attacker scripts sequential ID enumeration to bulk-exfiltrate the entire repository. …
Remediation Vendor-released patch: upgrade to R-SOFT DMS v3.19-2862 (v3.19 branch) or v3.17-2580 (v3.17 branch), which add the missing object-level authorization checks; consult the CERT.PL advisory at https://cert.pl/posts/2026/07/CVE-2026-41876 for details and coordinate the exact build with R-SOFT. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all R-SOFT DMS instances in use and determine if versions are prior to v3.19-2862 or v3.17-2580; document which systems store sensitive information. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-41878 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy