CVE-2026-33486: Roadiz CMS Information Disclosure Flaw

CVE-2026-33486 Overview

CVE-2026-33486 is a Server-Side Request Forgery (SSRF) vulnerability affecting the Roadiz documents component (roadiz/documents), a part of the Roadiz polymorphic content management system. This vulnerability allows an authenticated attacker with high privileges to read arbitrary files on the server's local file system that the web server process has access to. The exposure includes highly sensitive data such as environment variables, database credentials, and internal configuration files.

The vulnerability exists in versions prior to 2.7.9, 2.6.28, 2.5.44, and 2.3.42 and has been addressed in the respective patched releases.

Critical Impact

Authenticated attackers can leverage this SSRF vulnerability to access sensitive server-side files including environment variables, database credentials, and configuration files, potentially leading to full system compromise.

Affected Products

• Roadiz Documents (roadiz/documents) versions prior to 2.7.9
• Roadiz Documents (roadiz/documents) versions prior to 2.6.28
• Roadiz Documents (roadiz/documents) versions prior to 2.5.44
• Roadiz Documents (roadiz/documents) versions prior to 2.3.42

Discovery Timeline

• 2026-03-26 - CVE CVE-2026-33486 published to NVD
• 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33486

Vulnerability Analysis

This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The SSRF vulnerability exists in the DownloadedFile::fromUrl method within the Roadiz documents library. The function failed to properly validate and sanitize user-supplied URLs before making server-side requests, allowing attackers to craft malicious URLs that target internal resources.

An authenticated attacker with high privileges could exploit this vulnerability by providing specially crafted URLs that use file protocols (such as file://) or target internal network addresses. When processed by the vulnerable fromUrl method, these malicious URLs would cause the server to read local files or make requests to internal services, effectively bypassing network security controls.

The attack is network-accessible and requires no user interaction, though it does require high-level authentication privileges. The vulnerability has a changed scope, meaning the impact extends beyond the vulnerable component itself to affect confidentiality of resources the web server has access to.

Root Cause

The root cause of this vulnerability lies in the DownloadedFile::fromUrl method's lack of URL validation. Prior to the patch, the method would directly open and process any URL provided without checking whether it was a safe remote URL. This allowed attackers to supply URLs pointing to local files (via file:// protocol) or internal network resources, which the server would then fetch and potentially expose.

The function used PHP's fopen() to open URLs without any restrictions on:

• URL schemes (allowing file://, php://, etc.)
• Internal/private IP addresses
• HTTP redirects that could lead to internal resources

Attack Vector

The attack vector for CVE-2026-33486 requires network access and authenticated access with high privileges. An attacker would:

1. Authenticate to the Roadiz CMS with an account that has permissions to upload or manage documents
2. Craft a malicious URL targeting local files (e.g., file:///etc/passwd or file:///var/www/.env)
3. Submit this URL to a function that processes remote file downloads
4. The server would fetch the local file contents, exposing sensitive data

The patch introduces proper URL validation through a new isSafeRemoteUrl() method and configures stream context options to prevent HTTP redirect following:

     public static function fromUrl(string $url, ?string $originalName = null): ?DownloadedFile
     {
         try {
+            if (!self::isSafeRemoteUrl($url)) {
+                return null;
+            }
+
             $baseName = static::sanitizeFilename(pathinfo($url, PATHINFO_BASENAME));
-            $distantResource = fopen($url, 'r');
+            $streamContext = stream_context_create([
+                'http' => [
+                    'follow_location' => 0,
+                    'timeout' => 10,
+                ],
+                'https' => [
+                    'follow_location' => 0,
+                    'timeout' => 10,
+                ],
+            ]);
+
+            $distantResource = fopen($url, 'r', false, $streamContext);
             if (false === $distantResource) {
                 return null;
             }

Source: GitHub Commit Update

Detection Methods for CVE-2026-33486

Indicators of Compromise

• Unusual file access patterns in web server logs showing file:// or internal URL schemes
• Access attempts to sensitive files like /etc/passwd, .env, or configuration files originating from the web application
• Unexpected outbound requests from the web server to internal IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
• Log entries showing document URL processing with non-HTTP/HTTPS schemes

Detection Strategies

• Monitor web application logs for URL parameters containing suspicious schemes such as file://, php://, gopher://, or dict://
• Implement network monitoring to detect server-initiated requests to internal or loopback addresses
• Review authentication logs for accounts with document management privileges that exhibit unusual activity patterns
• Deploy Web Application Firewall (WAF) rules to detect SSRF attack patterns in request parameters

Monitoring Recommendations

• Enable detailed logging for the Roadiz documents component, particularly for URL processing functions
• Set up alerts for any file access attempts outside of expected directories from the web server process
• Monitor for outbound connections from the web server to RFC 1918 private address spaces
• Implement egress filtering and logging to track unexpected server-side network requests

How to Mitigate CVE-2026-33486

Immediate Actions Required

• Upgrade roadiz/documents to version 2.7.9, 2.6.28, 2.5.44, or 2.3.42 (depending on your major version branch) immediately
• Audit user accounts with high-privilege access to the Roadiz CMS and remove unnecessary permissions
• Review server logs for potential exploitation attempts before patching
• Rotate any credentials (database passwords, API keys, environment variables) that may have been exposed

Patch Information

Roadiz has released patched versions that address this SSRF vulnerability. The fix introduces a isSafeRemoteUrl() validation method and configures stream contexts to prevent HTTP redirect following. The patched versions are:

• Version 2.7.9 for the 2.7.x branch
• Version 2.6.28 for the 2.6.x branch
• Version 2.5.44 for the 2.5.x branch
• Version 2.3.42 for the 2.3.x branch

For detailed information, see the GitHub Security Advisory GHSA-rc55-58f4-687g and the security patch commit.

Workarounds

• Implement network-level egress filtering to prevent the web server from accessing internal resources or using non-HTTP protocols
• Restrict file system permissions for the web server process to limit access to sensitive files
• Use a Web Application Firewall (WAF) to block requests containing SSRF-indicative URL patterns
• Limit authentication and authorization for document management features to only essential personnel

# Configuration example - Update roadiz/documents via Composer
composer update roadiz/documents --with-dependencies

# Verify installed version
composer show roadiz/documents | grep versions