GHSA-JVWG-PHXX-J3RP
Vulnerability from github – Published: 2026-04-21 17:15 – Updated: 2026-04-21 17:15
VLAI?
Summary
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
Details
Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions.
Impact
- Only exploitable by authenticated backend users with
editoraccess who have been specifically denied theeditor.cms_assetsoreditor.tailor_blueprintssub-permissions - Does not affect default permission configurations where editor users typically have all sub-permissions granted
- Users without
editor.cms_assetscould manipulate theme asset files (delete, rename, move, upload, create directories) - Users without
editor.tailor_blueprintscould manipulate blueprint files (delete, rename, move, upload, create directories) - Users without
editor.tailor_blueprintscould view the theme blueprint navigation tree, disclosing file paths and directory structure
Patches
The vulnerability has been patched in v3.7.16 and v4.1.16. Fine-grained document type permission checks are now enforced on all asset and blueprint file operation commands, and the navigation node condition logic has been corrected. All users are encouraged to upgrade to the latest patched version.
Workarounds
- Restrict the
editorpermission to fully trusted administrators only - Remove the
editorpermission from any user who should not have asset or blueprint management access
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "october/system"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.1.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "october/system"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.7.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-29179"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T17:15:38Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted `editor` access but had `editor.cms_assets` or `editor.tailor_blueprints` specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions.\n\n### Impact\n- Only exploitable by authenticated backend users with `editor` access who have been specifically denied the `editor.cms_assets` or `editor.tailor_blueprints` sub-permissions\n- Does not affect default permission configurations where editor users typically have all sub-permissions granted\n- Users without `editor.cms_assets` could manipulate theme asset files (delete, rename, move, upload, create directories)\n- Users without `editor.tailor_blueprints` could manipulate blueprint files (delete, rename, move, upload, create directories)\n- Users without `editor.tailor_blueprints` could view the theme blueprint navigation tree, disclosing file paths and directory structure\n\n### Patches\nThe vulnerability has been patched in v3.7.16 and v4.1.16. Fine-grained document type permission checks are now enforced on all asset and blueprint file operation commands, and the navigation node condition logic has been corrected. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\n- Restrict the `editor` permission to fully trusted administrators only\n- Remove the `editor` permission from any user who should not have asset or blueprint management access",
"id": "GHSA-jvwg-phxx-j3rp",
"modified": "2026-04-21T17:15:38Z",
"published": "2026-04-21T17:15:38Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp"
},
{
"type": "PACKAGE",
"url": "https://github.com/octobercms/october"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…