Brave CMS contains an insecure direct object reference that enables an authenticated user with edit permissions to delete images attached to articles belonging to other users. The flaw lies in the deleteImage method of the ArticleController, which receives a filename from the URL without verifying the owner. This lack of ownership validation allows the deletion of image files that may be critical to other authors’ content, leading to integrity loss and potential disruption of publications.

The vulnerability affects the Ajax30 BraveCMS 2.0 series prior to version 2.0.6. Any deployment of Brave CMS containers or installations based on the 2.0 release that have not applied the 2.0.6 patch is susceptible. Users should verify their version, and the patch is available in the 2.0.6 update released by the vendor.

The CVSS score of 7.1 indicates medium‑to‑high severity. The vulnerability requires the attacker to be an authenticated user with edit rights; this is typical of CMS editors or authors. Exploitation involves sending a crafted URL to the deleteImage endpoint with a target image’s filename, which the application then deletes without permission checks. Since the EPSS score is unavailable and the issue is not listed in KEV, the risk is based primarily on the reported severity and the preponderance of user accounts with edit privileges. The attack vector is inferred to be remote, via the web interface, as the deletion request is performed over HTTP/HTTPS.