CVE-2026-3977
Received Received - Intake
Missing Authorization Vulnerability in ProjectSend AJAX Endpoints

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: VulDB

Description
A security vulnerability has been detected in projectsend up to r1945. The affected element is an unknown function of the component AJAX Endpoints. The manipulation leads to missing authorization. The attack can be initiated remotely. The identifier of the patch is 35dfd6f08f7d517709c77ee73e57367141107e6b. To fix this issue, it is recommended to deploy a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-12
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3977
EUVD
EUVD-2026-11520
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-3977 is an authorization vulnerability in the ProjectSend application up to version r1945, specifically affecting AJAX endpoints related to file management and thumbnail regeneration.

The issue arises because certain AJAX actions do not properly check if a user has the required permissions before allowing operations such as regenerating thumbnails or deleting files.

This means that authenticated users with minimal privileges can bypass authorization controls to enumerate files, trigger thumbnail regeneration, or delete files and custom download links they do not own.

Additionally, debug logging of sensitive data like plaintext passwords was found, which could expose sensitive information.

The vulnerability is fixed by adding proper permission checks for the `edit_settings` capability on AJAX endpoints, verifying file ownership before deletion, and removing debug logging.

Impact Analysis

This vulnerability can impact you by allowing unauthorized or low-privileged authenticated users to perform actions they should not be able to, such as:

  • Enumerating all files in the system, exposing file IDs, URLs, filenames, and timestamps.
  • Triggering thumbnail regeneration for any file, potentially causing resource misuse or denial of service.
  • Deleting files or custom download links owned by other users without proper authorization.

Moreover, sensitive information like plaintext passwords could be exposed in server logs due to debug logging.

Overall, this leads to risks to the confidentiality, integrity, and availability of your data and system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves missing authorization checks in AJAX endpoints and file management functions within the ProjectSend application. Detection involves verifying if unauthorized users can access or invoke sensitive AJAX actions such as thumbnail regeneration or file deletion without proper permissions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows authenticated users with minimal privileges to enumerate files and trigger thumbnail regeneration, you can attempt to detect it by testing access to the following AJAX endpoints:'}, {'type': 'list_item', 'content': 'Invoke AJAX actions `thumbnails_regenerate_get_files` and `thumbnails_regenerate_process` without having the `edit_settings` permission and observe if the system allows these actions.'}, {'type': 'list_item', 'content': 'Attempt to delete files or custom download links that are not owned by the current user and check if the deletion is permitted.'}, {'type': 'paragraph', 'content': 'Example commands (assuming you have authenticated session cookies or tokens) could include using curl to send POST requests to the AJAX endpoints or file management scripts to test authorization enforcement. For example:'}, {'type': 'list_item', 'content': "curl -X POST -b cookies.txt -d 'action=thumbnails_regenerate_get_files' https://your-projectsend-instance/includes/ajax.process.php"}, {'type': 'list_item', 'content': "curl -X POST -b cookies.txt -d 'action=thumbnails_regenerate_process' https://your-projectsend-instance/includes/ajax.process.php"}, {'type': 'list_item', 'content': "curl -X POST -b cookies.txt -d 'action=delete&file_id=some_file_id' https://your-projectsend-instance/manage-downloads.php"}, {'type': 'paragraph', 'content': 'If these commands succeed without proper permission checks or ownership verification, the system is vulnerable.'}] [1, 3]

Mitigation Strategies

The primary and immediate mitigation step is to apply the official patch identified by commit ID 35dfd6f08f7d517709c77ee73e57367141107e6b available in the ProjectSend GitHub repository.

This patch enforces strict permission checks on AJAX endpoints related to thumbnail regeneration and file deletion, ensuring only users with the `edit_settings` or `edit_others_files` capabilities can perform these actions.

Additionally, the patch removes debug logging that exposed sensitive information.

Until the patch is applied, consider restricting access to the affected AJAX endpoints and file management scripts to trusted users only, and monitor logs for suspicious activity involving unauthorized access attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart