CVE-2026-33486
Local File Read Vulnerability in Roadiz Documents Module
Publication date: 2026-03-26
Last updated on: 2026-03-31
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roadiz | core-bundle-dev-app | to 2.3.42 (exc) |
| roadiz | core-bundle-dev-app | From 2.4.0 (inc) to 2.5.44 (exc) |
| roadiz | core-bundle-dev-app | From 2.6.0 (inc) to 2.6.28 (exc) |
| roadiz | core-bundle-dev-app | From 2.7.0 (inc) to 2.7.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files.
Such unauthorized access to sensitive data can lead to a complete confidentiality loss of the web application and underlying operating system, exposing critical files and secrets.
This exposure of sensitive information can result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access and disclosure.
Therefore, exploitation of this vulnerability could lead to violations of these standards due to the potential leakage of confidential data and credentials.
How can this vulnerability impact me? :
This vulnerability can lead to a complete loss of confidentiality for the affected web application and its underlying operating system.
- Attackers can read critical files such as .env, security.yaml, and database credential files.
- It enables horizontal and vertical privilege escalation by exposing sensitive configuration and credential information.
- Attackers can perform system enumeration by reading files like /etc/passwd.
- In cloud environments, attackers can access internal metadata endpoints (e.g., AWS metadata service) to steal root IAM roles, potentially compromising the entire infrastructure.
Can you explain this vulnerability to me?
CVE-2026-33486 is a vulnerability in the Roadiz content management system, specifically in the roadiz/documents package prior to certain patched versions. It allows an authenticated attacker to read any file on the server's local file system that the web server process can access.
The issue arises because the method DownloadedFile::fromUrl() does not properly validate or sanitize the URLs it processes. This allows an attacker to supply unsafe URLs, including local file URIs (e.g., file:///etc/passwd), which the system then reads and imports as media documents.
This vulnerability is a combination of Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI), enabling attackers to read sensitive files such as environment variables, database credentials, and internal configuration files by injecting malicious URLs.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for attempts to access or import files using unsafe URL schemes such as file:// or local IP addresses through the Roadiz Documents import functionality.
Since the vulnerability involves the `DownloadedFile::fromUrl()` method processing unsafe URLs, detection can focus on identifying usage of this method with suspicious URLs or monitoring logs for requests containing local file paths or internal IP addresses.
Suggested commands to detect exploitation attempts include searching application logs or web server logs for suspicious URL patterns such as:
- grep -rE 'file://|php://|127\.0\.0\.1|localhost|192\.168\.|169\.254\.' /path/to/roadiz/logs
- grep -r 'DownloadedFile::fromUrl' /path/to/roadiz/logs
Additionally, network monitoring tools can be configured to alert on HTTP requests containing suspicious URL parameters or payloads that include local file paths or internal IP addresses.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade the Roadiz Documents package to one of the patched versions: 2.7.9, 2.6.28, 2.5.44, or 2.3.42.
These versions include a fix that strictly validates URLs passed to the `DownloadedFile::fromUrl()` method, rejecting unsafe URLs such as local file paths, localhost domains, and private or reserved IP addresses.
If upgrading is not immediately possible, consider restricting access to the Documents import functionality to only trusted users with the necessary privileges, as the vulnerability requires authenticated users with document access rights.
Additionally, implement network-level controls to block outbound HTTP requests to local IP ranges and localhost addresses from the web server hosting Roadiz.
Review and monitor logs for suspicious activity as a temporary detection measure until the patch can be applied.