{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29179", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T14:44:00.713Z", "datePublished": "2026-04-21T16:19:52.447Z", "dateUpdated": "2026-04-21T16:46:47.873Z"}, "containers": {"cna": {"title": "October: Editor Sub-Permission Bypass for Asset and Blueprint File Operations", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp"}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"version": ">= 4.0.0, < 4.1.16", "status": "affected"}, {"version": "< 3.7.16", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:19:52.447Z"}, "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "source": {"advisory": "GHSA-jvwg-phxx-j3rp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T16:46:35.787896Z", "id": "CVE-2026-29179", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:46:47.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29179", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T16:46:35.787896Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T16:46:44.504Z"}}], "cna": {"title": "October: Editor Sub-Permission Bypass for Asset and Blueprint File Operations", "source": {"advisory": "GHSA-jvwg-phxx-j3rp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "octobercms", "product": "october", "versions": [{"status": "affected", "version": ">= 4.0.0, < 4.1.16"}, {"status": "affected", "version": "< 3.7.16"}]}], "references": [{"url": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp", "name": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:19:52.447Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29179", "state": "PUBLISHED", "dateUpdated": "2026-04-21T16:46:47.873Z", "dateReserved": "2026-03-04T14:44:00.713Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:19:52.447Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16."}], "id": "CVE-2026-29179", "lastModified": "2026-04-22T21:08:48.550", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:36.053", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/octobercms/october/security/advisories/GHSA-jvwg-phxx-j3rp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0,4.1.16)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.7.16)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "october", "source": "cna", "vendor": "octobercms"}, "product": "october", "vendor": "octobercms"}], "analysis": {"en": {"generated_at": "2026-04-21T22:41:03.382175+00:00", "value": {"mitigation_remediation": ["Upgrade October CMS to version 3.7.16 or newer, or 4.1.16 or newer for the Tailor editor extension. ", "Verify that the latest Tailor editor extension is installed and that sub\u2011permission checks for asset and blueprint operations are enabled. ", "Review backend role configurations and remove editor.cms_assets and editor.tailor_blueprints sub\u2011permissions from any role that does not require them, ensuring that editors cannot hold the generic editor role without the specific file\u2011operation permissions."], "summary": {"action": "Immediate Update", "impact": "Privilege Escalation through Permission Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in October CMS versions older than 3.7.16 and 4.1.16, affecting only the October CMS product and its Tailor editor extension under the special case where a user is explicitly given the editor role but the specific asset or blueprint sub\u2011permissions are omitted. These versions are not patched until the targeted release updates the permission checks.", "description_and_impact": "October CMS allows an authenticated backend user who holds a generic editor role but lacks the editor.cms_assets or editor.tailor_blueprints sub\u2011permissions to create, delete, rename, move, or upload theme asset files and blueprint files. This bypass enables the user to modify or replace critical theme files and blueprint configurations, thereby compromising the integrity of the CMS installation. The flaw is based on a missing fine\u2011grained sub\u2011permission check and satisfies CWE-863 (Implicit Privilege Escalation).", "risk_and_exploitability": "The CVSS score of 3.3 indicates low severity overall, and no EPSS score is available, suggesting limited publicly documented exploitation. The flaw is exploitable only via an authenticated backend session and requires a specific, uncommon permission configuration. Regardless, an attacker who can establish a backend login might modify assets or blueprints, potentially leading to indirect code execution or configuration changes. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2026-04-21T17:30:37.394008+00:00", "updated": "2026-04-21T22:45:16.061224+00:00", "vendors": ["octobercms", "octobercms$PRODUCT$october"]}