CVE-2026-3977
Missing Authorization Vulnerability in ProjectSend AJAX Endpoints
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-3977 is an authorization vulnerability in the ProjectSend application up to version r1945, specifically affecting AJAX endpoints related to file management and thumbnail regeneration.
The issue arises because certain AJAX actions do not properly check if a user has the required permissions before allowing operations such as regenerating thumbnails or deleting files.
This means that authenticated users with minimal privileges can bypass authorization controls to enumerate files, trigger thumbnail regeneration, or delete files and custom download links they do not own.
Additionally, debug logging of sensitive data like plaintext passwords was found, which could expose sensitive information.
The vulnerability is fixed by adding proper permission checks for the `edit_settings` capability on AJAX endpoints, verifying file ownership before deletion, and removing debug logging.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthorized or low-privileged authenticated users to perform actions they should not be able to, such as:
- Enumerating all files in the system, exposing file IDs, URLs, filenames, and timestamps.
- Triggering thumbnail regeneration for any file, potentially causing resource misuse or denial of service.
- Deleting files or custom download links owned by other users without proper authorization.
Moreover, sensitive information like plaintext passwords could be exposed in server logs due to debug logging.
Overall, this leads to risks to the confidentiality, integrity, and availability of your data and system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves missing authorization checks in AJAX endpoints and file management functions within the ProjectSend application. Detection involves verifying if unauthorized users can access or invoke sensitive AJAX actions such as thumbnail regeneration or file deletion without proper permissions.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows authenticated users with minimal privileges to enumerate files and trigger thumbnail regeneration, you can attempt to detect it by testing access to the following AJAX endpoints:'}, {'type': 'list_item', 'content': 'Invoke AJAX actions `thumbnails_regenerate_get_files` and `thumbnails_regenerate_process` without having the `edit_settings` permission and observe if the system allows these actions.'}, {'type': 'list_item', 'content': 'Attempt to delete files or custom download links that are not owned by the current user and check if the deletion is permitted.'}, {'type': 'paragraph', 'content': 'Example commands (assuming you have authenticated session cookies or tokens) could include using curl to send POST requests to the AJAX endpoints or file management scripts to test authorization enforcement. For example:'}, {'type': 'list_item', 'content': "curl -X POST -b cookies.txt -d 'action=thumbnails_regenerate_get_files' https://your-projectsend-instance/includes/ajax.process.php"}, {'type': 'list_item', 'content': "curl -X POST -b cookies.txt -d 'action=thumbnails_regenerate_process' https://your-projectsend-instance/includes/ajax.process.php"}, {'type': 'list_item', 'content': "curl -X POST -b cookies.txt -d 'action=delete&file_id=some_file_id' https://your-projectsend-instance/manage-downloads.php"}, {'type': 'paragraph', 'content': 'If these commands succeed without proper permission checks or ownership verification, the system is vulnerable.'}] [1, 3]
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to apply the official patch identified by commit ID 35dfd6f08f7d517709c77ee73e57367141107e6b available in the ProjectSend GitHub repository.
This patch enforces strict permission checks on AJAX endpoints related to thumbnail regeneration and file deletion, ensuring only users with the `edit_settings` or `edit_others_files` capabilities can perform these actions.
Additionally, the patch removes debug logging that exposed sensitive information.
Until the patch is applied, consider restricting access to the affected AJAX endpoints and file management scripts to trusted users only, and monitor logs for suspicious activity involving unauthorized access attempts.