DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MQQ5-J7W8-2HGH: GHSA-MQQ5-J7W8-2HGH: Missing Authorization in Alchemy CMS API Pages Controller

#security #cve #cybersecurity #ghsa

GHSA-MQQ5-J7W8-2HGH: Missing Authorization in Alchemy CMS API Pages Controller

Vulnerability ID: GHSA-MQQ5-J7W8-2HGH
CVSS Score: 7.5
Published: 2026-06-19

A critical missing authorization vulnerability exists in the API Pages Controller of Alchemy CMS. An unauthenticated remote attacker can exploit the 'nested' action to retrieve the entire nested page tree. Furthermore, by appending the query parameter '?elements=true', the attacker can extract sensitive content from draft, unpublished, and restricted pages, bypassing all access controls.

TL;DR

Unauthenticated remote attackers can dump the entire nested page structure and elements of Alchemy CMS via a missing authorization check on the API nested pages endpoint.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862 (Missing Authorization)
  • Attack Vector: Network (Unauthenticated)
  • CVSS Score: 7.5 (High)
  • Exploit Status: Proof-of-concept (PoC) available
  • KEV Status: Not listed
  • Impact: Full disclosure of unpublished, draft, and restricted pages and elements

Affected Systems

  • Alchemy CMS installations relying on the API Pages Controller
  • alchemy_cms: <= 7.4.14 (Fixed in: 7.4.15)
  • alchemy_cms: >= 8.0.0.a, <= 8.0.14 (Fixed in: 8.0.15)
  • alchemy_cms: >= 8.1.0, <= 8.1.13 (Fixed in: 8.1.14)
  • alchemy_cms: >= 8.2.0, <= 8.2.5 (Fixed in: 8.2.6)

Code Analysis

Commit: 8417a2e

fix(api): authorize nested pages endpoint against restricted content

Mitigation Strategies

  • Upgrade the alchemy_cms gem to a secure, patched version
  • Deploy a custom Rails controller filter to enforce authorization at the route level
  • Restrict network access to the API endpoints using Web Application Firewall (WAF) rules

Remediation Steps:

  1. Identify the current active branch of the alchemy_cms installation
  2. Modify the Gemfile to require a version equal to or greater than 8.2.6, 8.1.14, 8.0.15, or 7.4.15
  3. Execute the bundle update command to retrieve and apply the security patch
  4. Verify the remediation by executing an unauthenticated GET request to the nested pages API endpoint

References

Read the full report for GHSA-MQQ5-J7W8-2HGH on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)