Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33146

CVE-2026-33146: Docmost Auth Bypass Vulnerability

CVE-2026-33146 is an authorization bypass flaw in Docmost that exposes restricted child page titles and snippets through the public search endpoint. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-33146 Overview

CVE-2026-33146 is an authorization bypass vulnerability affecting Docmost, an open-source collaborative wiki and documentation software platform. The vulnerability exists in versions 0.70.0 through 0.70.2 and allows unauthenticated users to access restricted child page titles and text snippets through the public search endpoint. This flaw enables unauthorized enumeration and retrieval of content that should remain hidden from public share viewers.

Critical Impact

Unauthenticated attackers can exploit the public search API endpoint to enumerate and retrieve confidential wiki content that was intended to be restricted, leading to a confidentiality breach of sensitive documentation.

Affected Products

  • Docmost versions 0.70.0 through 0.70.2
  • Self-hosted Docmost deployments using affected versions
  • Organizations with publicly shared wiki spaces containing restricted child pages

Discovery Timeline

  • 2026-04-14 - CVE CVE-2026-33146 published to NVD
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2026-33146

Vulnerability Analysis

This authorization bypass vulnerability (CWE-285: Improper Authorization) stems from insufficient access control validation in the public search functionality. When content is publicly shared in Docmost, the search endpoint fails to properly verify whether child pages should be accessible to unauthenticated viewers, resulting in information disclosure of restricted content.

The vulnerability allows attackers to leverage the public search API to discover and access content that administrators intended to keep private, even within publicly shared parent pages. This represents a significant confidentiality concern for organizations using Docmost to manage sensitive internal documentation.

Root Cause

The root cause is improper authorization checking in the POST /api/search/share-search endpoint. When processing search requests for publicly shared content, the application fails to validate the access permissions of child pages, allowing the search functionality to return results from restricted content that should not be visible to public viewers.

Attack Vector

The attack exploits the network-accessible public search endpoint. An unauthenticated attacker can send crafted search queries to the POST /api/search/share-search endpoint to enumerate and retrieve titles and text snippets from restricted child pages within publicly shared wiki spaces. The attack requires user interaction in the form of the organization having publicly shared content, but no authentication is needed to exploit the vulnerability.

The vulnerability manifests in the share-search API endpoint where authorization checks are improperly implemented. When a search query is submitted, the endpoint returns results including restricted child page content that should be filtered based on access permissions. For complete technical details, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-33146

Indicators of Compromise

  • Unusual volume of requests to the /api/search/share-search endpoint from external IP addresses
  • Search queries containing sensitive keywords that would typically be restricted
  • Access logs showing unauthenticated requests returning successful responses with content snippets
  • Multiple sequential search requests from the same source attempting content enumeration

Detection Strategies

  • Monitor HTTP access logs for POST requests to /api/search/share-search from unauthenticated sessions
  • Implement rate limiting and anomaly detection on the search endpoint to identify enumeration attempts
  • Review application logs for search queries that return results from pages marked as restricted
  • Deploy web application firewall rules to detect and alert on suspicious search patterns

Monitoring Recommendations

  • Enable detailed logging for all search API endpoints including request payloads and response content counts
  • Set up alerts for high-frequency search requests from single IP addresses or user agents
  • Monitor for search queries containing terms related to sensitive organizational content
  • Regularly audit publicly shared content to ensure restricted child pages are properly secured

How to Mitigate CVE-2026-33146

Immediate Actions Required

  • Upgrade Docmost to version 0.70.3 or later immediately
  • Audit all publicly shared wiki spaces to identify potentially exposed restricted content
  • Review access logs for signs of prior exploitation or content enumeration
  • Consider temporarily disabling public sharing functionality until the patch is applied

Patch Information

Docmost version 0.70.3 contains the security patch that addresses this authorization bypass vulnerability. Organizations should update their Docmost installations to this version or later. The patch implements proper authorization checks in the share-search endpoint to ensure restricted child pages are excluded from public search results.

For detailed patch information, refer to the GitHub Security Advisory.

Workarounds

  • Temporarily disable public sharing functionality at the application level until patching is complete
  • Implement network-level access controls to restrict access to the /api/search/share-search endpoint
  • Move sensitive content to separate workspaces that are not publicly shared
  • Deploy a reverse proxy with access rules to block unauthenticated requests to the search endpoint
bash
# Example: Block unauthenticated access to share-search endpoint using nginx
# Add to your nginx server configuration
location /api/search/share-search {
    # Temporarily deny all access until Docmost is patched
    deny all;
    return 403;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.