{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33146", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T21:17:08.884Z", "datePublished": "2026-04-14T21:36:53.562Z", "dateUpdated": "2026-04-15T14:28:08.044Z"}, "containers": {"cna": {"title": "Docmost's Public Share Search Exposes Metadata of Restricted Children", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/docmost/docmost/security/advisories/GHSA-qq4c-8rjr-w42c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/docmost/docmost/security/advisories/GHSA-qq4c-8rjr-w42c"}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"version": ">= 0.70.0, < 0.70.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:36:53.562Z"}, "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly shared content. This flaw allows unauthenticated users to enumerate and retrieve content that should remain hidden from public share viewers, leading to a confidentiality breach. Version 0.70.3 contains a patch."}], "source": {"advisory": "GHSA-qq4c-8rjr-w42c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-15T14:27:54.646474Z", "id": "CVE-2026-33146", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:28:08.044Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33146", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-15T14:27:54.646474Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-15T14:28:04.553Z"}}], "cna": {"title": "Docmost's Public Share Search Exposes Metadata of Restricted Children", "source": {"advisory": "GHSA-qq4c-8rjr-w42c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "docmost", "product": "docmost", "versions": [{"status": "affected", "version": ">= 0.70.0, < 0.70.3"}]}], "references": [{"url": "https://github.com/docmost/docmost/security/advisories/GHSA-qq4c-8rjr-w42c", "name": "https://github.com/docmost/docmost/security/advisories/GHSA-qq4c-8rjr-w42c", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly shared content. This flaw allows unauthenticated users to enumerate and retrieve content that should remain hidden from public share viewers, leading to a confidentiality breach. Version 0.70.3 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T21:36:53.562Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33146", "state": "PUBLISHED", "dateUpdated": "2026-04-15T14:28:08.044Z", "dateReserved": "2026-03-17T21:17:08.884Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T21:36:53.562Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly shared content. This flaw allows unauthenticated users to enumerate and retrieve content that should remain hidden from public share viewers, leading to a confidentiality breach. Version 0.70.3 contains a patch."}], "id": "CVE-2026-33146", "lastModified": "2026-04-14T22:16:30.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T22:16:30.713", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/docmost/docmost/security/advisories/GHSA-qq4c-8rjr-w42c"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.70.0,0.70.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "docmost", "source": "cna", "vendor": "docmost"}, "product": "docmost", "vendor": "docmost"}], "analysis": {"en": {"generated_at": "2026-04-14T23:26:58.471066+00:00", "value": {"mitigation_remediation": ["Upgrade Docmost to version 0.70.3 or later to apply the vendor\u2011supplied patch that removes the metadata exposure.", "If the public share search feature is not required, disable or restrict access to the /api/search/share-search endpoint to prevent unauthorized use.", "Ensure child page permissions are correctly configured so only authorized users can view content, and periodically review access control settings for any accidental exposure."], "summary": {"action": "Apply patch", "impact": "Confidentiality breach"}, "threat_synthesis": {"affected_systems": "The affected product is the Docmost open\u2011source collaborative wiki and documentation software. Users running Docmost versions 0.70.0, 0.70.1, or 0.70.2 are vulnerable. Version 0.70.3 includes the patch that disables the metadata exposure. No other vendors or products are noted.", "description_and_impact": "Docmost versions 0.70.0 through 0.70.2 contain an authorization bypass that allows unauthenticated users to retrieve titles and text snippets of restricted child pages via the public share search endpoint (POST /api/search/share-search). This flaw permits enumeration of hidden content that should be visible only to authorized viewers, exposing sensitive metadata and leading to a confidentiality breach. The weakness is an insufficient authorization (CWE\u2011285).", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The exploit is triggered solely by making unauthenticated HTTP requests to the search API, so the attack vector is remote and requires no special privileges. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting that no widely known exploits exist yet. Nevertheless, the simplicity of the request route means that an attacker could feasibly enumerate restricted content, potentially compromising sensitive information. The overall risk is moderate with a focus on confidentiality."}}}}, "created": "2026-04-15T13:48:23.623207+00:00", "updated": "2026-04-15T14:31:57.033439+00:00", "vendors": ["docmost", "docmost$PRODUCT$docmost"]}