CVE-2026-24900 Overview
CVE-2026-24900 is an Insecure Direct Object Reference (IDOR) vulnerability in MarkUs, a web application used for the submission and grading of student assignments. The vulnerability exists in versions prior to 2.9.1 where the select_file_id parameter in the submissions endpoint was not properly scoped to the requesting user, allowing authenticated users to access arbitrary submission file contents by manipulating the file ID.
Critical Impact
Authenticated users can access confidential student submission files they are not authorized to view, potentially exposing sensitive academic work, personal information, and graded content.
Affected Products
- MarkUs versions prior to 2.9.1
Discovery Timeline
- 2026-02-09 - CVE CVE-2026-24900 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-24900
Vulnerability Analysis
This vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), a type of broken access control flaw. The application fails to verify that the authenticated user has proper authorization to access the requested submission file before serving its contents.
The vulnerable endpoint courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepts a select_file_id parameter to retrieve SubmissionFile objects. Because this parameter was not validated against the requesting user's permissions, any authenticated user could enumerate file IDs and retrieve submission contents belonging to other users.
Root Cause
The root cause lies in the find_appropriate_grouping helper method in app/helpers/submissions_helper.rb. The original implementation used Grouping.find(params[:grouping_id]) which performed a direct database lookup without scoping the query to the current assignment. This allowed instructors and TAs to access groupings from any assignment, not just the one in context. Additionally, the html_content? action in the submission policy was aliased to view_files? without proper authorization checks.
Attack Vector
The attack can be performed remotely over the network by any authenticated user. An attacker with valid credentials to the MarkUs application can craft requests to the submissions endpoint with arbitrary select_file_id values, iterating through IDs to discover and retrieve submission files they should not have access to. The attack requires low complexity and no user interaction beyond authentication.
# Vulnerable code in app/helpers/submissions_helper.rb
# The original implementation did not scope groupings to the assignment:
def find_appropriate_grouping(assignment_id, params)
if current_role.instructor? || current_role.ta?
Grouping.find(params[:grouping_id]) # No scoping - allows access to any grouping
else
current_role.accepted_grouping_for(assignment_id)
end
end
# Fixed code scopes the query to the assignment:
def find_appropriate_grouping(assignment, params)
if current_role.instructor? || current_role.ta?
assignment.groupings.find_by(id: params[:grouping_id]) # Properly scoped
else
current_role.accepted_grouping_for(assignment.id)
end
end
Source: GitHub Commit Reference
Detection Methods for CVE-2026-24900
Indicators of Compromise
- Unusual patterns of requests to /courses/*/assignments/*/submissions/html_content with sequential or random select_file_id parameters
- Single user accounts accessing an abnormally high number of submission files in a short time period
- Access logs showing requests for submission files from groupings not associated with the requesting user's courses or roles
Detection Strategies
- Implement anomaly detection on submission file access patterns to identify enumeration attempts
- Monitor for authentication sessions accessing files across multiple unrelated assignments or courses
- Configure web application firewalls to flag rapid sequential requests with incrementing ID parameters
Monitoring Recommendations
- Enable detailed logging for all submission file access requests including user ID, file ID, and timestamp
- Set up alerts for access denied events that may indicate failed exploitation attempts
- Review access logs periodically for users accessing files outside their expected scope
How to Mitigate CVE-2026-24900
Immediate Actions Required
- Upgrade MarkUs to version 2.9.1 or later immediately
- Review access logs to identify any potential exploitation of this vulnerability prior to patching
- Notify affected users if unauthorized access to their submissions is detected
Patch Information
The vulnerability has been fixed in MarkUs version 2.9.1. The fix modifies the find_appropriate_grouping method to properly scope grouping lookups to the current assignment, and removes the html_content? action from the overly permissive view_files? alias in the submission policy. Administrators should upgrade by pulling the latest release from the MarkUs v2.9.1 release or applying the specific security patch commit.
Workarounds
- If immediate upgrade is not possible, implement additional access control checks at the web server or reverse proxy level to validate file access requests
- Temporarily disable the html_content endpoint if not critical to operations until the patch can be applied
- Consider implementing rate limiting on submission file access endpoints to reduce the impact of enumeration attacks
# Example: Upgrade MarkUs to patched version
cd /path/to/markus
git fetch origin
git checkout v2.9.1
bundle install
rails db:migrate
rails server restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
