CVE-2026-39903
Deferred
Deferred - Pending Action
Authorization Bypass in Simple Machines Forum
Vulnerability report for CVE-2026-39903, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-10
Last updated on: 2026-07-10
Assigner: VulnCheck
Description
Description
Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated low-privileged user can approve, reject, or delete any pending attachments on any board without holding the required approve_posts permission, bypass moderation queues for their own uploads, and enumerate and delete other users' pending attachments.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| simple_machines_forum | 2.1 | to 2.1.8 (exc) |
| simple_machines_forum | 3.0 | to 3.0_alpha_5 (exc) |
| simple_machines | forum | to 2.1.8 (exc) |
| simple_machines | forum | to 3.0_alpha_5 (exc) |
| simple_machines | forum | 2.1 |
| simple_machines | forum | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |