Executive Summary

CVE-2026-29179 is a low-severity vulnerability in OctoberCMS affecting versions up to 3.7.15 and 4.1.15. It involves a sub-permission bypass in the CMS and Tailor editor extensions where fine-grained permission checks for asset and blueprint file operations were not properly enforced.

Specifically, backend users who were granted the general editor role but explicitly denied the sub-permissions editor.cms_assets or editor.tailor_blueprints could still perform unauthorized file operations such as creating, deleting, renaming, moving, and uploading files or directories on theme assets or blueprint files.

Additionally, an operator precedence error in the Tailor navigation allowed these users to view the theme blueprint directory tree, exposing file paths and directory structure.

This vulnerability only affects authenticated backend users with editor access who have been specifically denied these sub-permissions, which is an uncommon configuration since default editor roles typically include all sub-permissions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows certain backend users with editor access but denied specific sub-permissions to perform unauthorized file operations on theme assets and blueprint files. These operations include creating, deleting, renaming, moving, and uploading files or directories.

Such unauthorized actions could lead to unintended changes or disruptions in the website's theme or blueprint configurations, potentially affecting the site's appearance or functionality.

Furthermore, the vulnerability allows these users to view the theme blueprint directory tree, which could expose sensitive file paths and directory structures.

However, the overall impact is considered low severity with limited confidentiality and integrity impact, and no availability impact.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability affects backend users with editor access who have the sub-permissions editor.cms_assets or editor.tailor_blueprints specifically withheld. Detection involves identifying such users and verifying if they can perform unauthorized file operations on theme assets or blueprint files.

Since the vulnerability is related to permission bypass within the OctoberCMS backend, detection would focus on auditing user permissions and testing file operations (create, delete, rename, move, upload) on theme assets or blueprint files by users with editor roles but restricted sub-permissions.

No specific commands or network detection methods are provided in the available resources.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OctoberCMS to version 3.7.16 or 4.1.16 or later, where the vulnerability is patched.

• Restrict the editor permission to fully trusted administrators only.
• Remove editor permissions from users who should not manage assets or blueprints.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows certain authenticated backend users with editor access but specifically withheld sub-permissions to perform unauthorized file operations on theme assets or blueprint files, and to view the theme blueprint directory tree. Although the impact is rated low in terms of confidentiality and integrity, unauthorized access to file operations and directory structures could potentially lead to exposure or modification of sensitive configuration or content files.

However, the vulnerability affects a very specific and uncommon permission configuration and requires high privileges and network access, limiting its scope. There is no direct mention of impact on personal data or protected health information, so the effect on compliance with standards like GDPR or HIPAA would depend on whether the compromised files contain regulated data.

Organizations using OctoberCMS should consider this vulnerability in their risk assessments and ensure proper permission configurations and timely patching to maintain compliance with relevant data protection regulations.

Useful 0 Not Useful 0