CVE-2026-24732
Received Received - Intake

Improper ACL Permissions in BlueSpice NSFileRepo Allow Unauthorized Access

Vulnerability report for CVE-2026-24732, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Hallo Welt! GmbH

Description

Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0. HINT: Versions provided apply to BlueSpice MediaWiki releases. ForΒ Extension:NSFileRepo the affected versions are 3.0 < 3.0.5

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-07-06
AI Q&A
2026-03-04
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
bluespice bluespice From 5.1 (inc) to 5.1.3 (inc)
bluespice bluespice From 5.2 (inc) to 5.2.0 (inc)
bluespice bluespice 4
bluespice bluespice 5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) involves files or directories being accessible to external parties due to incorrect permission assignments for critical resources. It allows unauthorized access to functionality that is not properly constrained by Access Control Lists (ACLs), effectively bypassing electronic locks and access controls.

The affected BlueSpice versions are from 5.1 through 5.1.3 and from 5.2 through 5.2.0, with Extension:NSFileRepo versions greater than 3.0 and less than 3.0.5 being vulnerable.

Impact Analysis

This vulnerability can lead to unauthorized external parties accessing files or directories that should be protected, potentially exposing sensitive information or critical resources.

Because the access controls and electronic locks can be bypassed, attackers might gain access to restricted functionality or data, which could compromise the confidentiality and integrity of the system.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the vulnerability in BlueSpice versions affected by CVE-2026-24732, ensure that the MongoDB service used by BlueSpice is not accessible from the internet or any external network, as the default configuration restricts external access.'}, {'type': 'paragraph', 'content': "Although this CVE specifically concerns BlueSpice Extension:NSFileRepo modules, general mitigation advice from related BlueSpice advisories includes updating container images using BlueSpice's deployment tool."}, {'type': 'list_item', 'content': 'Run the command: `bluespice-deploy pull collabpads-database`'}, {'type': 'list_item', 'content': 'Then run: `bluespice-deploy up -d` to update and restart the container.'}, {'type': 'paragraph', 'content': 'Maintaining network isolation of the MongoDB service is critical to prevent unauthenticated external access.'}] [1]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-24732. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart