CVE-2026-29179: Incorrect Authorization Bypass in October CMS Editor Extensions
Vulnerability ID: CVE-2026-29179
CVSS Score: 3.3
Published: 2026-04-21
October CMS versions prior to 3.7.16 and 4.1.16 contain an incorrect authorization vulnerability (CWE-863) within the CMS Editor and Tailor Editor extensions. Backend users with generic editor access can bypass granular sub-permission restrictions to perform unauthorized file operations and view directory structures.
TL;DR
A low-severity incorrect authorization flaw in October CMS allows restricted backend editors to bypass sub-permissions, enabling unauthorized file operations and directory structure disclosure.
Technical Details
- CWE ID: CWE-863
- Attack Vector: Network
- CVSS Score: 3.3 (Low)
- Impact: Partial Confidentiality & Integrity
- Exploit Status: None
- KEV Status: Not Listed
Affected Systems
- October CMS Editor Extension
- October CMS Tailor Editor Extension
-
October CMS: < 3.7.16 (Fixed in:
3.7.16) -
October CMS: >= 4.0.0, < 4.1.16 (Fixed in:
4.1.16)
Mitigation Strategies
- Upgrade October CMS 3.x to version 3.7.16
- Upgrade October CMS 4.x to version 4.1.16
- Audit backend user roles and sub-permissions
Remediation Steps:
- Backup the October CMS database and application files.
- Utilize Composer or the October CMS backend updater to pull the latest patch for your major version.
- Verify the version upgrade via the backend dashboard or composer.json.
- Test user permissions to ensure restricted editors cannot view Tailor directory structures or perform asset modifications.
References
- GitHub Security Advisory (GHSA-jvwg-phxx-j3rp)
- NVD Entry for CVE-2026-29179
- CVE.org Record
- October CMS Security Policy
Read the full report for CVE-2026-29179 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)