Description
October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16.
Published: 2026-04-21
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: Privilege Escalation through Permission Bypass
Action: Immediate Update
AI Analysis

Impact

October CMS allows an authenticated backend user who holds a generic editor role but lacks the editor.cms_assets or editor.tailor_blueprints sub‑permissions to create, delete, rename, move, or upload theme asset files and blueprint files. This bypass enables the user to modify or replace critical theme files and blueprint configurations, thereby compromising the integrity of the CMS installation. The flaw is based on a missing fine‑grained sub‑permission check and satisfies CWE-863 (Implicit Privilege Escalation).

Affected Systems

The vulnerability is present in October CMS versions older than 3.7.16 and 4.1.16, affecting only the October CMS product and its Tailor editor extension under the special case where a user is explicitly given the editor role but the specific asset or blueprint sub‑permissions are omitted. These versions are not patched until the targeted release updates the permission checks.

Risk and Exploitability

The CVSS score of 3.3 indicates low severity overall, and no EPSS score is available, suggesting limited publicly documented exploitation. The flaw is exploitable only via an authenticated backend session and requires a specific, uncommon permission configuration. Regardless, an attacker who can establish a backend login might modify assets or blueprints, potentially leading to indirect code execution or configuration changes. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 22:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade October CMS to version 3.7.16 or newer, or 4.1.16 or newer for the Tailor editor extension.
  • Verify that the latest Tailor editor extension is installed and that sub‑permission checks for asset and blueprint operations are enabled.
  • Review backend role configurations and remove editor.cms_assets and editor.tailor_blueprints sub‑permissions from any role that does not require them, ensuring that editors cannot hold the generic editor role without the specific file‑operation permissions.

Generated by OpenCVE AI on April 21, 2026 at 22:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jvwg-phxx-j3rp October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
History

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Octobercms
Octobercms october
Vendors & Products Octobercms
Octobercms october

Tue, 21 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Description October is a Content Management System (CMS) and web platform. Prior to 3.7.16 and 4.1.16, fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted editor access but had editor.cms_assets or editor.tailor_blueprints specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. This vulnerability is fixed in 3.7.16 and 4.1.16.
Title October: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Octobercms October
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T16:46:47.873Z

Reserved: 2026-03-04T14:44:00.713Z

Link: CVE-2026-29179

cve-icon Vulnrichment

Updated: 2026-04-21T16:46:44.504Z

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:36.053

Modified: 2026-04-21T17:16:36.053

Link: CVE-2026-29179

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:45:16Z

Weaknesses