Description
Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.
Published: 2026-03-26
Score: 6.8 Medium
EPSS: n/a
KEV: No
Impact: Authenticated Local File Disclosure via SSRF
Action: Immediate Patch
AI Analysis

Impact

A Server‑Side Request Forgery vulnerability in the Roadiz documents component allows an authenticated attacker to read arbitrary files on the server's local file system that the web server process can access. This can expose sensitive configuration data, database credentials, and environment variables, compromising confidentiality.

Affected Systems

The vulnerability affects the Roadiz core bundle (core‑bundle‑dev‑app). Versions prior to 2.7.9, 2.6.28, 2.5.44, and 2.3.42 are vulnerable, while these patched releases eliminate the risk.

Risk and Exploitability

The CVSS score of 6.8 indicates medium severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. Exploitation requires an authenticated session with access to the document endpoint; once authenticated, the attacker can instruct the server to read any file within the web server’s privileges. The total impact is limited to files the web server process can read, as stated in the description. The likely attack vector is internal or externally authenticated users gaining access to the document functionality.

Generated by OpenCVE AI on March 26, 2026 at 19:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Roadiz core bundle to a patched version (2.7.9, 2.6.28, 2.5.44, or 2.3.42).
  • If upgrade is not immediately possible, restrict access to the documents endpoint and limit web server file permissions to prevent sensitive file reads.

Generated by OpenCVE AI on March 26, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rc55-58f4-687g Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents
History

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Roadiz
Roadiz core-bundle-dev-app
Vendors & Products Roadiz
Roadiz core-bundle-dev-app

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.
Title Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Roadiz Core-bundle-dev-app
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:47:26.997Z

Reserved: 2026-03-20T16:16:48.971Z

Link: CVE-2026-33486

cve-icon Vulnrichment

Updated: 2026-03-26T18:47:24.111Z

cve-icon NVD

Status : Received

Published: 2026-03-26T18:16:29.903

Modified: 2026-03-26T18:16:29.903

Link: CVE-2026-33486

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:57Z

Weaknesses