Description
Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0.

HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5
Published: 2026-03-04
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access via Incorrect Permissions
Action: Immediate Patch
AI Analysis

Impact

An improper permission check in the BlueSpice Extension:NSFileRepo module allows attackers to retrieve or modify files and directories that should be restricted, effectively bypassing the system's access control lists. The flaw aligns with CWE-552, where files or directories become accessible to external parties, and CWE-732, indicating incorrect permission assignments. An attacker who can exploit this vulnerability could read sensitive configuration data, upload malicious files, or alter the content of shared repositories, thereby compromising both confidentiality and integrity of the system.

Affected Systems

The vulnerability affects Hallo Welt! GmbH BlueSpice MediaWiki releases from version 5.1 through 5.1.3 and from 5.2 through 5.2.0. For the Extension:NSFileRepo module, the affected releases are 3.0 up to but not including 3.0.5.

Risk and Exploitability

With a CVSS score of 6.6, the issue presents a moderate severity. The EPSS score is less than 1%, indicating a very low exploitation probability at present, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote exploitation via the web interface, where an unauthenticated or low‑privileged user can trigger the faulty file access logic. Despite the low probability of exploitation, the potential impact on sensitive data warrants proactive remediation.

Generated by OpenCVE AI on April 16, 2026 at 13:38 UTC.

Remediation

Vendor Workaround

Make sure $wgGroupPermissions['*']['read'] is set to false in the  LocalSettings.php.

OpenCVE Recommended Actions

  • Upgrade BlueSpice to a version beyond 5.1.3 and 5.2.0, which contain the official fix for this access control issue.
  • Upgrade Extension:NSFileRepo to version 3.0.5 or later to resolve the incorrect permission assignment.
  • Apply the recommended workaround by setting $wgGroupPermissions['*']['read'] to false in LocalSettings.php until a patched release is available.

Generated by OpenCVE AI on April 16, 2026 at 13:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Hallowelt
Hallowelt bluespice
Vendors & Products Hallowelt
Hallowelt bluespice

Wed, 04 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Description Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.5, from 5.2 through 5.2.0. Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0. HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5

Wed, 04 Mar 2026 12:30:00 +0000

Type Values Removed Values Added
Description Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.5, from 5.2 through 5.2.0.
Title Improper permission checks in Extension:NSFileRepo
Weaknesses CWE-552
CWE-732
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/RE:L'}

Subscriptions

Hallowelt Bluespice
cve-icon MITRE

Status: PUBLISHED

Assigner: HW

Published:

Updated: 2026-03-04T14:27:00.797Z

Reserved: 2026-02-06T14:21:19.100Z

Link: CVE-2026-24732

cve-icon Vulnrichment

Updated: 2026-03-04T14:26:56.977Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-04T13:15:58.287

Modified: 2026-03-04T18:08:05.730

Link: CVE-2026-24732

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses