CVE-2026-33486
Received Received - Intake
Local File Read Vulnerability in Roadiz Documents Module

Publication date: 2026-03-26

Last updated on: 2026-03-31

Assigner: GitHub, Inc.

Description
Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-31
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33486
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
roadiz core-bundle-dev-app to 2.3.42 (exc)
roadiz core-bundle-dev-app From 2.4.0 (inc) to 2.5.44 (exc)
roadiz core-bundle-dev-app From 2.6.0 (inc) to 2.6.28 (exc)
roadiz core-bundle-dev-app From 2.7.0 (inc) to 2.7.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can lead to a complete loss of confidentiality for the affected web application and its underlying operating system.

  • Attackers can read critical files such as .env, security.yaml, and database credential files.
  • It enables horizontal and vertical privilege escalation by exposing sensitive configuration and credential information.
  • Attackers can perform system enumeration by reading files like /etc/passwd.
  • In cloud environments, attackers can access internal metadata endpoints (e.g., AWS metadata service) to steal root IAM roles, potentially compromising the entire infrastructure.
Executive Summary

CVE-2026-33486 is a vulnerability in the Roadiz content management system, specifically in the roadiz/documents package prior to certain patched versions. It allows an authenticated attacker to read any file on the server's local file system that the web server process can access.

The issue arises because the method DownloadedFile::fromUrl() does not properly validate or sanitize the URLs it processes. This allows an attacker to supply unsafe URLs, including local file URIs (e.g., file:///etc/passwd), which the system then reads and imports as media documents.

This vulnerability is a combination of Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI), enabling attackers to read sensitive files such as environment variables, database credentials, and internal configuration files by injecting malicious URLs.

Detection Guidance

This vulnerability can be detected by monitoring for attempts to access or import files using unsafe URL schemes such as file:// or local IP addresses through the Roadiz Documents import functionality.

Since the vulnerability involves the `DownloadedFile::fromUrl()` method processing unsafe URLs, detection can focus on identifying usage of this method with suspicious URLs or monitoring logs for requests containing local file paths or internal IP addresses.

Suggested commands to detect exploitation attempts include searching application logs or web server logs for suspicious URL patterns such as:

  • grep -rE 'file://|php://|127\.0\.0\.1|localhost|192\.168\.|169\.254\.' /path/to/roadiz/logs
  • grep -r 'DownloadedFile::fromUrl' /path/to/roadiz/logs

Additionally, network monitoring tools can be configured to alert on HTTP requests containing suspicious URL parameters or payloads that include local file paths or internal IP addresses.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade the Roadiz Documents package to one of the patched versions: 2.7.9, 2.6.28, 2.5.44, or 2.3.42.

These versions include a fix that strictly validates URLs passed to the `DownloadedFile::fromUrl()` method, rejecting unsafe URLs such as local file paths, localhost domains, and private or reserved IP addresses.

If upgrading is not immediately possible, consider restricting access to the Documents import functionality to only trusted users with the necessary privileges, as the vulnerability requires authenticated users with document access rights.

Additionally, implement network-level controls to block outbound HTTP requests to local IP ranges and localhost addresses from the web server hosting Roadiz.

Review and monitor logs for suspicious activity as a temporary detection measure until the patch can be applied.

Compliance Impact

This vulnerability allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files.

Such unauthorized access to sensitive data can lead to a complete confidentiality loss of the web application and underlying operating system, exposing critical files and secrets.

This exposure of sensitive information can result in non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect personal and sensitive data from unauthorized access and disclosure.

Therefore, exploitation of this vulnerability could lead to violations of these standards due to the potential leakage of confidential data and credentials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33486. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart