Main Vulnerability Database Vulnerabilities #VU126643

Improper access control in October CMS - CVE-2026-26067

Published: April 21, 2026

Vulnerability identifier: #VU126643

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-26067

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OctoberCMS

Affected software:
October CMS

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in CSS preprocessor compilers when processing crafted .less, .sass, or .scss files. A remote privileged user can leverage the compiler import functionality to read arbitrary files from the server to disclose sensitive information.

Only backend users with Editor permissions can exploit this issue, and it is relevant only when cms.safe_mode is enabled.

How to mitigate CVE-2026-26067

Install security update from vendor's website.

Sources

https://github.com/octobercms/october/security/advisories/GHSA-3888-q23f-x7qh

Improper access control in October CMS - CVE-2026-26067

Detailed vulnerability description

How to mitigate CVE-2026-26067

Sources

Please verify you're human