Skip to main content

Docmost EUVD-2026-22756

| CVE-2026-34213 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-14 security-advisories@github.com
Authentication Bypass Docmost
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 18:46 nvd
Patch available
Patch available
Apr 16, 2026 - 05:29 EUVD
0.71.0
Analysis Generated
Apr 14, 2026 - 22:43 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 22:22 euvd
EUVD-2026-22756
Analysis Generated
Apr 14, 2026 - 22:22 vuln.today
CVE Published
Apr 14, 2026 - 22:16 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim attachmentId to POST /api/files/upload. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch.

AnalysisAI

Docmost versions 0.3.0 through 0.70.x allow authenticated users with low privileges to overwrite arbitrary attachments belonging to other users within the same workspace via improper authorization checks on the POST /api/files/upload endpoint. An attacker can supply a victim's attachmentId to modify or corrupt files without user interaction, compromising document integrity across the workspace. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to workspace
Delivery
Enumerate or discover victim attachmentId
Exploit
Send crafted upload request with victim ID
Execution
API overwrites attachment without authorization check
Persist
Attachment replaced in victim's documents
Impact
Other users access corrupted/malicious file
Sign in to reveal

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents a moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with read-only or limited editor access in a Docmost workspace identifies or guesses another user's attachment ID (potentially through workspace file listings, API responses, or collaborative document references). The attacker crafts a POST request to /api/files/upload with the victim's attachmentId parameter, uploading malicious or corrupted content. …
Remediation Upgrade Docmost to version 0.71.0 or later immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-22756 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy