CVE-2026-34213 Overview
CVE-2026-34213 is an improper authorization vulnerability in Docmost, an open-source collaborative wiki and documentation software. Starting in version 0.3.0 and prior to version 0.71.0, a low-privileged authenticated user can overwrite another page's attachment within the same workspace by supplying a victim attachmentId to POST /api/files/upload. This is a remote integrity issue requiring no victim interaction.
Critical Impact
Authenticated attackers can overwrite attachments belonging to other users within the same workspace, potentially destroying or replacing legitimate documents with malicious content without any user interaction required.
Affected Products
- Docmost versions 0.3.0 through 0.70.x
- Docmost collaborative wiki instances with multi-user workspaces
- Self-hosted and cloud deployments running vulnerable versions
Discovery Timeline
- April 14, 2026 - CVE CVE-2026-34213 published to NVD
- April 14, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34213
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key). The flaw exists in the file upload endpoint where the application fails to properly verify that the authenticated user has ownership or appropriate permissions over the target attachment before allowing an overwrite operation.
When a user submits a file upload request to /api/files/upload, they can specify an arbitrary attachmentId parameter. The application accepts this user-controlled identifier without validating whether the requesting user owns or has write access to the referenced attachment. This allows any authenticated user within a workspace to target and overwrite attachments belonging to other users.
The vulnerability requires network access and low-privilege authentication, making it exploitable by any user with basic workspace access. No victim interaction is necessary for successful exploitation, as the attacker simply needs to know or enumerate valid attachmentId values within their workspace.
Root Cause
The root cause is an insecure direct object reference (IDOR) vulnerability in the file upload handler. The application trusts the user-supplied attachmentId parameter without implementing proper authorization checks to verify the requesting user's relationship to the target attachment. This design flaw allows horizontal privilege escalation where users can manipulate resources belonging to other users at the same privilege level.
Attack Vector
The attack is conducted over the network by an authenticated user with low privileges. An attacker would:
- Authenticate to a Docmost workspace with any valid user credentials
- Identify or enumerate valid attachmentId values belonging to other users
- Craft a POST request to /api/files/upload with the victim's attachmentId
- Submit a malicious or replacement file that overwrites the original attachment
The vulnerability allows attackers to corrupt document integrity by replacing legitimate attachments with arbitrary content, potentially embedding malicious files or destroying important documentation. Since no user interaction is required, victims may not immediately notice their attachments have been compromised.
Detection Methods for CVE-2026-34213
Indicators of Compromise
- Unexpected changes to attachment files with no corresponding user activity in audit logs
- Multiple file upload requests to /api/files/upload containing attachmentId values owned by different users
- Attachment modification timestamps that do not correlate with legitimate owner activity
- User reports of corrupted or replaced document attachments
Detection Strategies
- Monitor file upload API requests for attachmentId parameters that reference attachments not owned by the authenticated user
- Implement anomaly detection for unusual patterns of attachment modifications within workspaces
- Review web server and application logs for suspicious POST /api/files/upload activity patterns
- Deploy application-layer monitoring to detect authorization bypass attempts
Monitoring Recommendations
- Enable detailed audit logging for all file upload operations including user identity and target attachment references
- Configure alerts for attachment modifications where the modifier differs from the original uploader
- Implement rate limiting on the file upload endpoint to slow enumeration attempts
- Review workspace activity logs regularly for signs of unauthorized attachment access
How to Mitigate CVE-2026-34213
Immediate Actions Required
- Upgrade Docmost to version 0.71.0 or later immediately
- Audit recent file upload activity for signs of unauthorized attachment overwrites
- Review workspace attachments for unexpected modifications or suspicious content
- Consider temporarily restricting file upload capabilities until patching is complete
Patch Information
Version 0.71.0 of Docmost contains the security patch that addresses this vulnerability. The fix implements proper authorization checks to ensure that users can only overwrite attachments they own or have explicit write permissions for. Administrators should update all Docmost instances to version 0.71.0 or later. For detailed information about the patch, refer to the GitHub Security Advisory.
Workarounds
- Restrict workspace membership to trusted users only until the patch can be applied
- Implement network-level access controls to limit who can reach the Docmost API endpoints
- Enable enhanced logging and monitoring to detect exploitation attempts
- Consider placing the application behind a web application firewall (WAF) that can inspect and filter malicious requests
# Update Docmost to patched version
docker pull docmost/docmost:0.71.0
docker-compose down && docker-compose up -d
# Verify running version
docker exec docmost cat /app/package.json | grep version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
