Description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue.
Published: 2026-02-26
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access to private model files
Action: Patch
AI Analysis

Impact

The vulnerability is an insecure direct object reference in the get_model method of the ModelFilesController. Because the code uses Model.find_param(params[:model_id]) without wrapping the call in a policy scope, the authorization layer is bypassed. An attacker who has legitimate credentials with read permissions can request the URL that loads a model by ID and retrieve the contents of any model in the system, regardless of ownership. This leak of proprietary or sensitive 3D designs could lead to data confidentiality loss and potential intellectual property theft.

Affected Systems

Any installation of Manyfold 0.133.0 or earlier that has not applied the 0.133.1 release. The affected component is the ModelFilesController in the open‑source Manyfold web application, which is typically deployed as a self‑hosted Ruby on Rails service. Users who have access to the web interface and an authenticated session are able to trigger the vulnerability.

Risk and Exploitability

The CVSS score of 5.3 categorizes this as a moderate severity flaw. The EPSS score of less than 1% suggests that, while exploitation is unlikely at large scale, the presence of an authenticated user that can supply arbitrary IDs makes the attack feasible without additional reconnaissance. The vulnerability is not yet listed in the CISA KEV catalog, so no known active exploits are reported, but the lack of a policy scope is a direct authorization bypass. The likely attack vector is a remote attacker with valid credentials who submits a crafted request to the get_model endpoint, forcing retrieval of unauthorized models.

Generated by OpenCVE AI on April 16, 2026 at 15:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Manyfold to version 0.133.1 or later, which restores policy_scope protection in the get_model method.
  • If an upgrade is delayed, restrict access to the /models/* URLs using network firewall rules or HTTP authentication so that only privileged users can reach them.
  • Verify that Pundit policy scopes are applied correctly in all controllers; if custom policies exist, run tests to ensure they enforce ownership checks on model retrieval.

Generated by OpenCVE AI on April 16, 2026 at 15:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Manyfold
Manyfold manyfold
CPEs cpe:2.3:a:manyfold:manyfold:*:*:*:*:*:*:*:*
Vendors & Products Manyfold
Manyfold manyfold

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Manyfold3d
Manyfold3d manyfold
Vendors & Products Manyfold3d
Manyfold3d manyfold

Thu, 26 Feb 2026 23:00:00 +0000

Type Values Removed Values Added
Description Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue.
Title Manyfold has IDOR in ModelFilesController
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Manyfold Manyfold
Manyfold3d Manyfold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T18:33:16.833Z

Reserved: 2026-02-25T15:28:40.650Z

Link: CVE-2026-28225

cve-icon Vulnrichment

Updated: 2026-02-27T18:33:11.636Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:36.413

Modified: 2026-02-27T16:55:07.943

Link: CVE-2026-28225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:00:13Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key