Description
Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.
Published: 2026-06-12
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper authorization flaw in the administrator draft autosave endpoint of Camaleon CMS. An authenticated user with low privileges can specify any post_id when posting to /admin/post_type/<POST_TYPE_ID>/drafts, thereby overwriting the draft associated with another user's post. This can lead to unauthorized modification or loss of content owned by other users, compromising data integrity and potentially allowing defacement or sabotage of draft content.

Affected Systems

Camaleon CMS version 2.9.2 on Linux, macOS, and Windows platforms is affected. The flaw exists in the draft autosave API endpoint and is accessible to users authenticated to the CMS administrator interface. All three operating systems supported by the CPE entries are impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates medium severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting that it has not yet been widely exploited. An attacker must first authenticate as a low‑privileged user within the CMS; from there they can craft a POST request with an arbitrary post_id to overwrite another user's draft. The impact is limited to the affected content and does not provide further privileges or system access, but the ability to tamper with draft content poses a moderate risk to data integrity.

Generated by OpenCVE AI on June 12, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch or upgrade Camaleon CMS beyond version 2.9.2 to eliminate the improper authorization flaw.
  • Restrict the draft autosave endpoint by enforcing strict role‑based access controls so that only editors or designated users can modify drafts.
  • Monitor the /admin/post_type/*/drafts endpoint for unusual POST activity and review logs for unauthorized draft changes.

Generated by OpenCVE AI on June 12, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type/<POST_TYPE_ID>/drafts and overwrite the draft associated with another user's post.
Title Camaleon CMS 2.9.2 - Improper authorization in draft autosave endpoint
First Time appeared Camaleon Cms
Camaleon Cms camaleon Cms
Weaknesses CWE-862
CPEs cpe:2.3:a:camaleon_cms:camaleon_cms:2.9.2:*:linux:*:*:*:*:*
cpe:2.3:a:camaleon_cms:camaleon_cms:2.9.2:*:macos:*:*:*:*:*
cpe:2.3:a:camaleon_cms:camaleon_cms:2.9.2:*:windows:*:*:*:*:*
Vendors & Products Camaleon Cms
Camaleon Cms camaleon Cms
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Camaleon Cms Camaleon Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-06-12T18:59:37.113Z

Reserved: 2026-06-02T19:25:18.444Z

Link: CVE-2026-10715

cve-icon Vulnrichment

Updated: 2026-06-12T18:59:25.452Z

cve-icon NVD

Status : Received

Published: 2026-06-12T19:16:25.387

Modified: 2026-06-12T20:16:43.000

Link: CVE-2026-10715

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T21:00:19Z

Weaknesses