CVE-2026-33146 Overview
CVE-2026-33146 is an authorization bypass vulnerability affecting Docmost, an open-source collaborative wiki and documentation software platform. The vulnerability exists in versions 0.70.0 through 0.70.2 and allows unauthenticated users to access restricted child page titles and text snippets through the public search endpoint. This flaw enables unauthorized enumeration and retrieval of content that should remain hidden from public share viewers.
Critical Impact
Unauthenticated attackers can exploit the public search API endpoint to enumerate and retrieve confidential wiki content that was intended to be restricted, leading to a confidentiality breach of sensitive documentation.
Affected Products
- Docmost versions 0.70.0 through 0.70.2
- Self-hosted Docmost deployments using affected versions
- Organizations with publicly shared wiki spaces containing restricted child pages
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-33146 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-33146
Vulnerability Analysis
This authorization bypass vulnerability (CWE-285: Improper Authorization) stems from insufficient access control validation in the public search functionality. When content is publicly shared in Docmost, the search endpoint fails to properly verify whether child pages should be accessible to unauthenticated viewers, resulting in information disclosure of restricted content.
The vulnerability allows attackers to leverage the public search API to discover and access content that administrators intended to keep private, even within publicly shared parent pages. This represents a significant confidentiality concern for organizations using Docmost to manage sensitive internal documentation.
Root Cause
The root cause is improper authorization checking in the POST /api/search/share-search endpoint. When processing search requests for publicly shared content, the application fails to validate the access permissions of child pages, allowing the search functionality to return results from restricted content that should not be visible to public viewers.
Attack Vector
The attack exploits the network-accessible public search endpoint. An unauthenticated attacker can send crafted search queries to the POST /api/search/share-search endpoint to enumerate and retrieve titles and text snippets from restricted child pages within publicly shared wiki spaces. The attack requires user interaction in the form of the organization having publicly shared content, but no authentication is needed to exploit the vulnerability.
The vulnerability manifests in the share-search API endpoint where authorization checks are improperly implemented. When a search query is submitted, the endpoint returns results including restricted child page content that should be filtered based on access permissions. For complete technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-33146
Indicators of Compromise
- Unusual volume of requests to the /api/search/share-search endpoint from external IP addresses
- Search queries containing sensitive keywords that would typically be restricted
- Access logs showing unauthenticated requests returning successful responses with content snippets
- Multiple sequential search requests from the same source attempting content enumeration
Detection Strategies
- Monitor HTTP access logs for POST requests to /api/search/share-search from unauthenticated sessions
- Implement rate limiting and anomaly detection on the search endpoint to identify enumeration attempts
- Review application logs for search queries that return results from pages marked as restricted
- Deploy web application firewall rules to detect and alert on suspicious search patterns
Monitoring Recommendations
- Enable detailed logging for all search API endpoints including request payloads and response content counts
- Set up alerts for high-frequency search requests from single IP addresses or user agents
- Monitor for search queries containing terms related to sensitive organizational content
- Regularly audit publicly shared content to ensure restricted child pages are properly secured
How to Mitigate CVE-2026-33146
Immediate Actions Required
- Upgrade Docmost to version 0.70.3 or later immediately
- Audit all publicly shared wiki spaces to identify potentially exposed restricted content
- Review access logs for signs of prior exploitation or content enumeration
- Consider temporarily disabling public sharing functionality until the patch is applied
Patch Information
Docmost version 0.70.3 contains the security patch that addresses this authorization bypass vulnerability. Organizations should update their Docmost installations to this version or later. The patch implements proper authorization checks in the share-search endpoint to ensure restricted child pages are excluded from public search results.
For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Temporarily disable public sharing functionality at the application level until patching is complete
- Implement network-level access controls to restrict access to the /api/search/share-search endpoint
- Move sensitive content to separate workspaces that are not publicly shared
- Deploy a reverse proxy with access rules to block unauthenticated requests to the search endpoint
# Example: Block unauthenticated access to share-search endpoint using nginx
# Add to your nginx server configuration
location /api/search/share-search {
# Temporarily deny all access until Docmost is patched
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
