{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34213", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T15:57:52.324Z", "datePublished": "2026-04-14T21:49:55.380Z", "dateUpdated": "2026-04-15T13:31:17.467Z"}, "containers": {"cna": {"title": "Docmost has cross-page attachment overwrite via flawed attachmentId overwrite validation", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/docmost/docmost/security/advisories/GHSA-89fp-2hch-j9gp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-89fp-2hch-j9gp"}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"version": ">= 0.3.0, < 0.71.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:49:55.380Z"}, "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim `attachmentId` to `POST /api/files/upload`. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch."}], "source": {"advisory": "GHSA-89fp-2hch-j9gp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T13:31:11.461730Z", "id": "CVE-2026-34213", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:31:17.467Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34213", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T13:31:11.461730Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T13:31:14.745Z"}}], "cna": {"title": "Docmost has cross-page attachment overwrite via flawed attachmentId overwrite validation", "source": {"advisory": "GHSA-89fp-2hch-j9gp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"status": "affected", "version": ">= 0.3.0, < 0.71.0"}]}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-89fp-2hch-j9gp", "name": "https://github.com/docmost/docmost/security/advisories/GHSA-89fp-2hch-j9gp", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim `attachmentId` to `POST /api/files/upload`. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:49:55.380Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34213", "state": "PUBLISHED", "dateUpdated": "2026-04-15T13:31:17.467Z", "dateReserved": "2026-03-26T15:57:52.324Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T21:49:55.380Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:docmost:docmost:*:*:*:*:*:*:*:*", "matchCriteriaId": "3DBD5227-C9AE-4A0D-9607-E7238FA6D754", "versionEndExcluding": "0.71.0", "versionStartIncluding": "0.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim `attachmentId` to `POST /api/files/upload`. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch."}], "id": "CVE-2026-34213", "lastModified": "2026-04-22T18:46:54.730", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:31.193", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-89fp-2hch-j9gp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.3.0,0.71.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "docmost", "source": "cna", "vendor": "docmost"}, "product": "docmost", "vendor": "docmost"}], "analysis": {"en": {"generated_at": "2026-04-14T23:25:25.600622+00:00", "value": {"mitigation_remediation": ["Upgrade Docmost to version\u00a00.71.0 or later, which removes the flawed authorization check on the attachment upload endpoint.", "If an upgrade is not feasible, restrict user roles that can upload attachments or disable the POST\u00a0/api/files/upload endpoint for low\u2011privileged users to eliminate the attack surface.", "Monitor attachment upload logs for unexpected use of known attachmentIds, and investigate any anomalous activity that could indicate exploitation of this flaw."], "summary": {"action": "Apply patch", "impact": "Integrity"}, "threat_synthesis": {"affected_systems": "Docmost collaborative wiki and documentation software is affected. Versions beginning at 0.3.0 up to, but not including, 0.71.0 are vulnerable. All installations of these versions that allow authenticated users to upload attachments are at risk.", "description_and_impact": "The flaw is an improper authorization check that permits a low\u2011privileged authenticated user to overwrite an attachment uploaded to another page within the same workspace by supplying the victim\u2019s attachmentId to the file upload endpoint. This allows the attacker to replace a legitimate file with a malicious or altered version, thereby compromising data integrity. The vulnerability is a remote integrity issue that requires no victim interaction and is identified as CWE\u2011639 (Access Control for Multi\u2011Level Security).", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate level of risk. EPSS is not available, suggesting no known exploit activity at the time of analysis, and the vulnerability is not listed in the CISA KEV catalog. Because the exploit requires only authenticated access within a workspace, a legitimate low\u2011privileged user or attacker who has compromised account credentials can execute the attack remotely and immediately, making the risk realistic for environments with loose user permissions."}}}}, "created": "2026-04-15T13:48:23.621063+00:00", "updated": "2026-04-15T14:31:57.030589+00:00", "vendors": ["docmost", "docmost$PRODUCT$docmost"]}