CVE-2026-28225

Summary

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the get_model method in ModelFilesController (line 158-160) loads models using Model.find_param(params[:model_id]) without policy_scope(), bypassing Pundit authorization. All other controllers correctly use policy_scope(Model).find_param() (e.g., ModelsController line 263). Version 0.133.1 fixes the issue.

Affected Software

VendorProductVersion RangeStatus
manyfold3dmanyfold< 0.133.1affected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References