CVE-2026-26067
Information Disclosure via CSS Preprocessor in October CMS Editors
Publication date: 2026-04-21
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| octobercms | october | to 3.7.14 (exc) |
| octobercms | october | to 4.1.10 (exc) |
| octobercms | system | to 3.7.13 (exc) |
| octobercms | system | to 4.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated backend users with Editor permissions to read arbitrary files on the server, leading to a high impact on confidentiality.
Since the vulnerability compromises confidentiality by exposing potentially sensitive information stored on the server, it could negatively affect compliance with data protection standards and regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access.
Organizations using affected versions of OctoberCMS should apply the patches or workarounds promptly to maintain compliance and protect sensitive data.
Can you explain this vulnerability to me?
CVE-2026-26067 is a server-side information disclosure vulnerability in OctoberCMS affecting versions prior to 3.7.14 and 4.1.10. It arises from improper handling of CSS preprocessor files (.less, .sass, .scss) by the CMS backend.
Specifically, backend users with Editor permissions can exploit the import functionality of these CSS preprocessor files to read arbitrary files on the server, even when the cms.safe_mode configuration is enabled, which was intended to prevent such actions.
This means that an authenticated user with Editor-level access can bypass restrictions and access sensitive server files by crafting malicious CSS preprocessor files.
How can this vulnerability impact me? :
This vulnerability impacts the confidentiality of the system by allowing an authenticated Editor user to read arbitrary files on the server.
An attacker exploiting this flaw could access sensitive information stored on the server, such as configuration files, credentials, or other private data.
The vulnerability does not affect the integrity or availability of the system, but the exposure of confidential data could lead to further attacks or data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves verifying the version of OctoberCMS and checking the configuration related to CSS preprocessor file handling.
- Check the OctoberCMS system package version to see if it is older than 3.7.14 or 4.1.10.
- Verify if the cms.safe_mode configuration is enabled, as the vulnerability only applies when safe mode is active.
- Review backend user permissions to identify if any users have Editor-level access.
Specific commands depend on your environment, but example commands include:
- To check the OctoberCMS version via command line (if composer is used): composer show october/system
- To check the cms.safe_mode setting, inspect the configuration file (e.g., config/cms.php) or run: php artisan config:show cms.safe_mode
- To list users with Editor permissions, query the database or use backend user management commands depending on your setup.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the OctoberCMS system package and applying configuration changes to restrict the handling of CSS preprocessor files.
- Upgrade OctoberCMS to version 3.7.14 or 4.1.10 or later, where the vulnerability is fixed.
- If upgrading immediately is not possible, configure cms.editable_asset_types to exclude .less, .sass, and .scss files by setting it to ['css', 'js'].
- Restrict Editor tool access to fully trusted administrators only to reduce the risk of exploitation.
- Disable creation, upload, and editing of .less, .sass, and .scss files in the CMS editor, media manager, and file upload interfaces when cms.safe_mode is enabled.