Compliance Impact

The vulnerability allows unauthorized access to confidential documents and files uploaded by other users due to improper authorization checks. This unauthorized disclosure of sensitive information can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and confidential data.

Specifically, since the vulnerability enables any authenticated user to download files belonging to others without proper ownership verification, it compromises confidentiality requirements mandated by these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-42277 is an Insecure Direct Object Reference (IDOR) vulnerability in the Onyx AI platform. It affects versions before 3.0.9, 3.1.6, and 3.2.6. The vulnerability exists in the GET /chat/file/{file_id} endpoint, which allows any authenticated user to download files uploaded by other users by providing the file UUID.

Although the endpoint verifies that the caller is authenticated, it does not check whether the file actually belongs to the requesting user. This means an attacker who knows or obtains a file UUID can access confidential documents, chat attachments, and other files uploaded by any user in the system.

The root cause is improper authorization checks in the functions responsible for fetching files, which fail to validate file ownership. This issue was patched in versions 3.0.9, 3.1.6, and 3.2.6.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to confidential and sensitive files uploaded by other users within the Onyx platform.

• An attacker who obtains a file UUID can download private documents and chat attachments that they should not have access to.
• This compromises the confidentiality of user data, potentially exposing sensitive information.

The vulnerability requires the attacker to be authenticated but has low attack complexity and does not require user interaction beyond authentication.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to access the /chat/file/{file_id} endpoint with a file UUID that does not belong to the authenticated user. If the system allows downloading files without verifying ownership, it is vulnerable.

A practical detection method is to use an HTTP client tool such as curl or wget to send authenticated requests to the endpoint with different file UUIDs and observe if files belonging to other users are accessible.

• Example curl command to test access to a file UUID: curl -i -H "Authorization: Bearer <token>" https://<onyx-server>/chat/file/<file_uuid>
• Replace <token> with a valid authentication token and <file_uuid> with a file identifier that may belong to another user.

If the response returns the file content without proper authorization errors, the vulnerability is present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Onyx application to a patched version where this vulnerability is fixed.

• Upgrade to Onyx version 3.0.9 or later if using the 3.0.x branch.
• Upgrade to Onyx version 3.1.6 or later if using the 3.1.x branch.
• Upgrade to Onyx version 3.2.6 or later if using the 3.2.x branch.

Until the upgrade is applied, restrict access to the /chat/file/{file_id} endpoint to only trusted users or disable the endpoint if possible to prevent unauthorized file downloads.

Useful 0 Not Useful 0