Improper access control in October CMS - CVE-2026-29179
Published: April 21, 2026
Vulnerability identifier: #VU126640
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-29179
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OctoberCMS
Affected software:
October CMS
October CMS
Detailed vulnerability description
The vulnerability allows a remote user to manipulate asset or blueprint files and disclose directory structure information.
The vulnerability exists due to improper access control in the CMS and Tailor editor extensions when handling asset and blueprint file operations and Tailor navigation checks. A remote privileged user can perform create, delete, rename, move, or upload operations on theme assets or blueprint files, or view the theme blueprint navigation tree, to manipulate asset or blueprint files and disclose directory structure information.
This only affects backend users with editor access who were specifically denied the editor.cms_assets or editor.tailor_blueprints sub-permissions.
How to mitigate CVE-2026-29179
Install security update from vendor's website.