CVE-2026-34213

Summary

Docmost is open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, improper authorization in Docmost allows a low-privileged authenticated user to overwrite another page's attachment within the same workspace by supplying a victim attachmentId to POST /api/files/upload. This is a remote integrity issue requiring no victim interaction. Version 0.71.0 contains a patch.

Affected Software

VendorProductVersion RangeStatus
docmostdocmost>= 0.3.0, < 0.71.0affected

Weaknesses

  • CWE-639: CWE-639: Authorization Bypass Through User-Controlled Key

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References