Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-23623

CVE-2026-23623: Collabora Online Auth Bypass Vulnerability

CVE-2026-23623 is an authorization bypass vulnerability in Collabora Online that lets view-only users download restricted files using keyboard shortcuts. This article covers the technical details, affected versions, and patches.

Published:

CVE-2026-23623 Overview

CVE-2026-23623 is an authorization bypass vulnerability in Collabora Online, a collaborative online office suite based on LibreOffice technology. The vulnerability allows users with view-only rights and no download privileges to obtain unauthorized local copies of shared files by using the keyboard shortcut Ctrl+Shift+S to initiate a file download process, even though corresponding buttons are not available in the user interface.

Critical Impact

Users can bypass access restrictions and retrieve unauthorized copies of sensitive documents shared in view-only mode, leading to potential data exfiltration and confidentiality breaches.

Affected Products

  • Collabora Online Development Edition versions prior to 25.04.08.2
  • Collabora Online versions prior to 23.05.20.1
  • Collabora Online versions prior to 24.04.17.3
  • Collabora Online versions prior to 25.04.7.5

Discovery Timeline

  • 2026-02-06 - CVE-2026-23623 published to NVD
  • 2026-02-06 - Last updated in NVD database

Technical Details for CVE-2026-23623

Vulnerability Analysis

This vulnerability is classified under CWE-285 (Improper Authorization), indicating a failure to properly enforce access control policies. The core issue lies in the disconnect between the user interface restrictions and the underlying application logic. While the Collabora Online interface correctly removes download buttons for users with view-only permissions, the application fails to enforce these restrictions at the backend when file download requests are initiated through alternative means.

The vulnerability enables a complete bypass of document access controls designed to protect sensitive shared content. Organizations relying on view-only sharing to protect confidential documents face significant risk of unauthorized data retrieval.

Root Cause

The root cause is an improper authorization check (CWE-285) in the file download functionality of Collabora Online. The access control mechanism properly restricts the UI elements but fails to validate user permissions when processing download requests initiated via keyboard shortcuts. This creates a security gap where the authorization logic is only enforced at the presentation layer rather than being consistently applied at the application logic layer.

Attack Vector

The attack is network-accessible and requires no prior authentication beyond having view-only access to a shared document. An attacker can exploit this vulnerability through the following mechanism:

  1. The attacker receives or gains view-only access to a shared document in Collabora Online
  2. Although no download buttons are visible in the interface, the attacker uses the keyboard shortcut Ctrl+Shift+S
  3. This shortcut triggers the "Save As" or download functionality directly
  4. The backend fails to verify that the requesting user has download permissions
  5. The file download process initiates, allowing the attacker to save a local copy of the document

This bypass requires minimal technical knowledge and can be exploited by any user with view-only access to sensitive documents.

Detection Methods for CVE-2026-23623

Indicators of Compromise

  • Unexpected file download requests from users who only have view-only permissions
  • Server logs showing download API calls from sessions with restricted access levels
  • Audit trails indicating document retrieval by users without download privileges
  • Unusual patterns of Ctrl+Shift+S keyboard events followed by download requests

Detection Strategies

  • Implement logging of all file download requests with associated user permission levels
  • Monitor for download API endpoint access from sessions where download permissions are not granted
  • Review access logs for patterns of document access followed by unexpected download events
  • Deploy application-layer monitoring to detect keyboard shortcut bypass attempts

Monitoring Recommendations

  • Enable verbose logging for document sharing and access control events
  • Configure alerts for download attempts by users with view-only permissions
  • Regularly audit shared document access patterns and download activity
  • Implement session monitoring to correlate user permissions with actual file operations

How to Mitigate CVE-2026-23623

Immediate Actions Required

  • Upgrade Collabora Online Development Edition to version 25.04.08.2 or later
  • Upgrade Collabora Online to version 23.05.20.1, 24.04.17.3, or 25.04.7.5 depending on your release branch
  • Review audit logs for any unauthorized document downloads prior to patching
  • Assess which sensitive documents were shared with view-only restrictions and may have been compromised

Patch Information

Collabora has released patched versions that address this authorization bypass vulnerability. The fix ensures that permission checks are properly enforced at the application logic layer, preventing keyboard shortcuts from bypassing download restrictions. Detailed patch information is available in the GitHub Security Advisory.

Affected BranchPatched Version
Development Edition25.04.08.2
23.05.x23.05.20.1
24.04.x24.04.17.3
25.04.x25.04.7.5

Workarounds

  • Restrict access to sensitive documents entirely rather than relying on view-only mode until patches can be applied
  • Implement network-level controls to limit access to Collabora Online instances containing sensitive data
  • Consider temporarily disabling document sharing features for highly confidential content
  • Monitor and audit all document access activities to detect potential exploitation attempts

The recommended approach is to apply the official patches as soon as possible. Workarounds should only be considered as temporary measures while planning the upgrade process.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.