Skip to main content

Docmost EUVD-2026-22750

| CVE-2026-33146 MEDIUM
Improper Authorization (CWE-285)
2026-04-14 security-advisories@github.com
Authentication Bypass Docmost
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 23, 2026 - 14:18 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
0.70.3
Analysis Generated
Apr 14, 2026 - 22:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22750
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (POST /api/search/share-search) for publicly shared content. This flaw allows unauthenticated users to enumerate and retrieve content that should remain hidden from public share viewers, leading to a confidentiality breach. Version 0.70.3 contains a patch.

AnalysisAI

Docmost versions 0.70.0 through 0.70.2 allow unauthenticated users to bypass authorization controls and enumerate restricted child page titles and text snippets via the public search endpoint, exposing confidential documentation content that should only be visible to authorized share viewers. This medium-severity confidentiality breach affects any Docmost instance with publicly shared workspaces and requires user interaction (clicking a link or accessing the search interface), but poses significant risk to organizations treating Docmost as a confidential knowledge base.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain public share URL
Delivery
Send crafted search request to /api/search/share-search
Exploit
Bypass authorization checks
Execution
Retrieve restricted page metadata
Persist
Enumerate sensitive documentation content
Impact
Exfiltrate confidential information
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment While the CVSS score of 4.3 reflects a low attack complexity (AC:L) and no authentication requirement (PR:N), the real-world risk is moderate. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a public share link to a Docmost workspace and crafts a POST request to the `/api/search/share-search` endpoint with search queries designed to enumerate page titles and content snippets. Despite having only limited view permissions through the public share token, the attacker receives results for restricted child pages and internal documentation that should not be visible, allowing them to map the workspace structure and extract sensitive information such as API keys, customer names, or internal procedures mentioned in page snippets. …
Remediation Vendor-released patch: Docmost 0.70.3 and later. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-22750 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy