CVE-2026-34213
Received Received - Intake
Improper Authorization in Docmost Allows Remote Attachment Overwrite

Publication date: 2026-04-14

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim `attachmentId` to `POST /api/files/upload`. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34213
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
docmost docmost From 0.3.0 (inc) to 0.71.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Docmost, an open-source collaborative wiki and documentation software. In versions starting from 0.3.0 up to but not including 0.71.0, there is an improper authorization issue. A low-privileged authenticated user can overwrite another page's attachment within the same workspace by providing the victim's attachment ID to the POST /api/files/upload endpoint. This means an attacker with limited permissions can modify files they should not have access to without requiring any interaction from the victim.

Impact Analysis

The impact of this vulnerability is primarily on data integrity. An attacker with low privileges can overwrite attachments belonging to other users within the same workspace, potentially replacing important files with malicious or corrupted content. This could disrupt collaboration, cause loss of important information, or introduce malicious files into the system. Since the attack requires no victim interaction and can be performed remotely, it increases the risk of unauthorized data modification.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Docmost to version 0.71.0 or later, as this version contains the patch that fixes the improper authorization issue allowing low-privileged users to overwrite attachments.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34213. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart