CVE-2026-5484 Overview
A weakness has been identified in BookStackApp BookStack up to version 26.03. The vulnerability affects the function chapterToMarkdown within the file app/Exports/ExportFormatter.php of the Chapter Export Handler component. By manipulating the argument pages, an attacker can bypass improper access controls to access pages they should not have permission to view. This attack can be launched remotely, and the exploit has been made publicly available.
Critical Impact
Remote attackers can bypass permission controls during Markdown chapter exports to access restricted pages, potentially exposing sensitive documentation content to unauthorized users.
Affected Products
- BookStackApp BookStack versions up to 26.03
- BookStack Chapter Export Handler component
- app/Exports/ExportFormatter.php module
Discovery Timeline
- 2026-04-03 - CVE-2026-5484 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-5484
Vulnerability Analysis
This vulnerability is classified as CWE-266 (Incorrect Privilege Assignment), manifesting as an authorization bypass in BookStack's chapter export functionality. The core issue lies in how the chapterToMarkdown function retrieves pages for export without properly validating the user's access permissions to each individual page.
When a user exports a chapter to Markdown format, the vulnerable code iterates through all pages associated with the chapter regardless of whether the requesting user has permission to view those pages. This allows authenticated users to export chapter content that may include pages they are explicitly restricted from accessing through normal navigation.
The vulnerability is exploitable remotely through the application's export functionality and requires no special privileges beyond basic authentication. The attack enables information disclosure of potentially sensitive documentation content.
Root Cause
The root cause is the use of $chapter->pages instead of $chapter->getVisiblePages() when iterating through pages for export. The pages property returns all pages in the chapter without filtering based on the current user's permissions, while getVisiblePages() properly applies visibility checks and access control filtering.
This represents a classic authorization bypass where a privileged operation (direct database relationship access) was used instead of the permission-aware alternative, allowing the export function to bypass BookStack's normal access control mechanisms.
Attack Vector
The attack is network-based and can be executed by any authenticated user with access to the chapter export functionality. An attacker would:
- Identify a chapter containing pages they cannot normally access
- Trigger the Markdown export function for that chapter
- Receive an exported document containing content from restricted pages
The following patch shows the fix applied in commit 8a59895ba063040cc8dafd82e94024c406df3d04:
$text .= $description . "\n\n";
}
- foreach ($chapter->pages as $page) {
+ foreach ($chapter->getVisiblePages() as $page) {
$text .= $this->pageToMarkdown($page) . "\n\n";
}
Source: GitHub Commit Details
Additionally, the patch includes hardening of the download response factory to prevent filename injection:
protected function getHeaders(string $fileName, int $fileSize, string $mime = 'application/octet-stream'): array
{
$disposition = ($mime === 'application/octet-stream') ? 'attachment' : 'inline';
- $downloadName = str_replace('"', '', $fileName);
+
+ $downloadName = str_replace(['"', '/', '\\', '$'], '', $fileName);
+ $downloadName = preg_replace('/[\\x00-\\x1F\\x7F]/', '', $downloadName);
+ $encodedDownloadName = rawurlencode($downloadName);
return [
'Content-Type' => $mime,
'Content-Length' => $fileSize,
- 'Content-Disposition' => "{$disposition}; filename=\"{$downloadName}\"",
+ 'Content-Disposition' => "{$disposition}; filename*=UTF-8''{$encodedDownloadName}",
'X-Content-Type-Options' => 'nosniff',
];
}
Source: GitHub Commit Details
Detection Methods for CVE-2026-5484
Indicators of Compromise
- Unusual chapter export requests from users who have limited page-level permissions
- Audit logs showing export operations that include pages the requesting user cannot normally view
- Increased export activity from specific user accounts targeting permission-restricted chapters
Detection Strategies
- Monitor web application logs for requests to /exports/chapter/ endpoints, particularly from users with restricted permissions
- Implement audit logging to track which pages are included in chapter exports versus user visibility permissions
- Review access logs for patterns of bulk export requests that may indicate information harvesting
Monitoring Recommendations
- Enable detailed audit logging for all export operations in BookStack
- Configure alerts for export requests that exceed normal usage patterns
- Implement user behavior analytics to detect potential data exfiltration attempts through export functionality
- Review and correlate export logs with user permission configurations periodically
How to Mitigate CVE-2026-5484
Immediate Actions Required
- Upgrade BookStackApp BookStack to version 26.03.1 or later immediately
- Review recent export logs to identify any potential exploitation attempts
- Audit user permissions to ensure sensitive pages have appropriate access restrictions
- Consider temporarily disabling chapter export functionality until patching is complete
Patch Information
The vulnerability is addressed in BookStack version 26.03.1. The fix is contained in commit 8a59895ba063040cc8dafd82e94024c406df3d04, which modifies the chapterToMarkdown function to use getVisiblePages() instead of directly accessing the pages relationship.
For detailed patch information, refer to:
Workarounds
- Restrict access to the chapter export functionality at the web server level until patching is possible
- Review and tighten page-level permissions to minimize exposure of sensitive content
- Implement additional monitoring on export endpoints to detect suspicious activity
# Example: Disable chapter export routes in nginx until patched
# Add to your BookStack nginx configuration
location ~* /exports/chapter/ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
