Skip to main content

October CMS EUVDEUVD-2026-24159

| CVE-2026-29179 LOW
Incorrect Authorization (CWE-863)
2026-04-21 GitHub_M GHSA-jvwg-phxx-j3rp
3.3
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.3 LOW
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:08 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 17:01 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24159
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:19 nvd
LOW 3.3

DescriptionGitHub Advisory

October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16.

AnalysisAI

October CMS versions prior to 3.7.16 and 4.1.16 fail to enforce fine-grained sub-permission checks for asset and blueprint file operations in the CMS and Tailor editor extensions, allowing backend users with editor access but explicitly withheld editor.cms_assets or editor.tailor_blueprints permissions to perform unauthorized file operations (create, delete, rename, move, upload) on theme assets and blueprint files. Additionally, an operator precedence error discloses the theme blueprint directory tree under the same conditions. This affects an uncommon permission configuration where high-privileged users have granular restrictions selectively applied.

Technical ContextAI

October CMS is a Laravel-based open-source content management system that provides role-based access control through a permission system. The vulnerability exists in permission enforcement logic within the CMS and Tailor editor extensions, which handle asset management and blueprint file operations. The root cause is classified as CWE-863 (Incorrect Authorization), indicating a failure to check permissions before allowing sensitive operations. The issue stems from an operator precedence error in permission evaluation logic, allowing authenticated backend users to bypass sub-permission checks that should restrict file operations on specific resource types (theme assets and blueprint files). Tailor is October's modern page-building extension that manages blueprint definitions stored in the filesystem.

RemediationAI

Upgrade to October CMS 3.7.16 or 4.1.16 to apply the vendor-released patch that implements proper sub-permission enforcement. For organizations unable to immediately patch, apply compensating controls by auditing and removing uncommon mixed-permission configurations where backend users are granted editor access while having specific sub-permissions (editor.cms_assets or editor.tailor_blueprints) explicitly withheld. Prefer binary permission models where users either have full editor privileges including asset/blueprint permissions or are restricted from editing entirely, avoiding the intermediate state that triggers this vulnerability. Monitor file operations on theme assets and blueprint directories for unauthorized modifications by backend users. Review audit logs for users with editor roles to identify those with atypical permission assignments. See GitHub Security Advisory GHSA-jvwg-phxx-j3rp for additional details and patch download links.

CVE-2017-1000119 HIGH POC
7.2 Oct 05

October CMS build 412 is vulnerable to PHP code execution in the file upload functionality resulting in site compromise

CVE-2021-3311 CRITICAL POC
9.8 Feb 05

An issue was discovered in October through build 471. Rated critical severity (CVSS 9.8), this vulnerability is remotely

CVE-2021-32648 CRITICAL POC
9.1 Aug 26

octobercms in a CMS platform based on the Laravel PHP Framework. Rated critical severity (CVSS 9.1), this vulnerability

CVE-2017-16244 HIGH POC
8.8 Nov 01

Cross-Site Request Forgery exists in OctoberCMS 1.0.426 (aka Build 426) due to improper validation of CSRF tokens for po

CVE-2022-21705 HIGH POC
7.2 Feb 23

Octobercms is a self-hosted CMS platform based on the Laravel PHP Framework. Rated high severity (CVSS 7.2), this vulner

CVE-2018-7198 MEDIUM POC
6.1 Feb 18

October CMS through 1.0.431 allows XSS by entering HTML on the Add Posts page. Rated medium severity (CVSS 6.1), this vu

CVE-2017-1000196 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromis

CVE-2017-1000197 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to file path modification in asset move functionality resulting in creating creating

CVE-2017-1000194 CRITICAL
9.8 Nov 17

October CMS build 412 is vulnerable to Apache configuration modification via file upload functionality resulting in site

CVE-2017-15284 MEDIUM POC
5.4 Oct 12

Cross-Site Scripting exists in OctoberCMS 1.0.425 (aka Build 425), allowing a least privileged user to upload an SVG fil

CVE-2015-5613 MEDIUM POC
5.4 Sep 28

Cross-site scripting (XSS) vulnerability in October CMS build 271 and earlier allows remote attackers to inject arbitrar

CVE-2023-43876 MEDIUM POC
5.4 Sep 28

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary w

Share

EUVD-2026-24159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy