CVE-2026-24732

Received Received - Intake

Improper ACL Permissions in BlueSpice NSFileRepo Allow Unauthorized Access

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Hallo Welt! GmbH

Description

Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0. HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-04

Last Modified

2026-03-04

Generated

2026-06-16

AI Q&A

2026-03-04

EPSS Evaluated

2026-06-15

NVD

CVE-2026-24732

EUVD

EUVD-2026-9393

Affected Vendors & Products

Vendor	Product	Version / Range
bluespice	bluespice	From 5.1 (inc) to 5.1.3 (inc)
bluespice	bluespice	From 5.2 (inc) to 5.2.0 (inc)
bluespice	bluespice	4
bluespice	bluespice	5

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-732	The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-552	The product makes files or directories accessible to unauthorized actors, even though they should not be.

Attack-Flow Graph

Executive Summary

This vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) involves files or directories being accessible to external parties due to incorrect permission assignments for critical resources. It allows unauthorized access to functionality that is not properly constrained by Access Control Lists (ACLs), effectively bypassing electronic locks and access controls.

The affected BlueSpice versions are from 5.1 through 5.1.3 and from 5.2 through 5.2.0, with Extension:NSFileRepo versions greater than 3.0 and less than 3.0.5 being vulnerable.

Impact Analysis

This vulnerability can lead to unauthorized external parties accessing files or directories that should be protected, potentially exposing sensitive information or critical resources.

Because the access controls and electronic locks can be bypassed, attackers might gain access to restricted functionality or data, which could compromise the confidentiality and integrity of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the vulnerability in BlueSpice versions affected by CVE-2026-24732, ensure that the MongoDB service used by BlueSpice is not accessible from the internet or any external network, as the default configuration restricts external access.'}, {'type': 'paragraph', 'content': "Although this CVE specifically concerns BlueSpice Extension:NSFileRepo modules, general mitigation advice from related BlueSpice advisories includes updating container images using BlueSpice's deployment tool."}, {'type': 'list_item', 'content': 'Run the command: `bluespice-deploy pull collabpads-database`'}, {'type': 'list_item', 'content': 'Then run: `bluespice-deploy up -d` to update and restart the container.'}, {'type': 'paragraph', 'content': 'Maintaining network isolation of the MongoDB service is critical to prevent unauthenticated external access.'}] [1]

Hi! I’m here to help you understand CVE-2026-24732. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-24732

Improper ACL Permissions in BlueSpice NSFileRepo Allow Unauthorized Access

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart