Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable download endpoint (AV:N/AC:L), requires any authenticated account (PR:L), no user interaction; discloses other users' files (C:H) with no integrity or availability effect.
Primary rating from Vendor (cert).
CVSS VectorVendor: cert
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
R-SOFT DMS is vulnerable to Insecure Direct Object Reference (IDOR) attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file.
This issue was fixed in version v3.19-2862 and v3.17-2580.
AnalysisAI
Broken object-level authorization in R-SOFT DMS lets any authenticated user download arbitrary files by manipulating the object ID in multiple file-download endpoints, since the application enforces only session authentication and never checks whether the requester owns or may access the requested file. This is an authenticated confidentiality breach (CVSS 4.0 7.1) affecting all versions prior to v3.19-2862 and v3.17-2580. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session of any privilege level (PR:L) - an insider account, compromised credentials, or a self-registered account where registration is open - after which no further special configuration is needed because the vulnerable behavior is the default in all pre-fix versions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H) indicates a network-reachable, low-complexity attack requiring only low-privilege authenticated access, with high confidentiality impact and no integrity or availability impact - consistent with mass document exfiltration by any valid account. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A low-privilege employee (or an attacker using one stolen/self-registered account) logs into R-SOFT DMS and requests a file download, then simply increments or substitutes the file ID parameter in the URL. Because the server only verifies the session and not file ownership, it returns documents belonging to other users, and the attacker scripts sequential ID enumeration to bulk-exfiltrate the entire repository. … |
| Remediation | Vendor-released patch: upgrade to R-SOFT DMS v3.19-2862 (v3.19 branch) or v3.17-2580 (v3.17 branch), which add the missing object-level authorization checks; consult the CERT.PL advisory at https://cert.pl/posts/2026/07/CVE-2026-41876 for details and coordinate the exact build with R-SOFT. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all R-SOFT DMS instances in use and determine if versions are prior to v3.19-2862 or v3.17-2580; document which systems store sensitive information. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42856
GHSA-m5fr-qm38-x8f3