Skip to content
Threat Feed
high advisory

Simple Machines Forum Authorization Bypass Vulnerability

An authorization bypass vulnerability, CVE-2026-39903, exists in Simple Machines Forum versions 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5, allowing a low-privileged, authenticated user to exploit a single-character operator error in 'Sources/Actions/AttachmentApprove.php' to bypass permission checks, enabling them to approve, reject, or delete any pending attachments across boards, circumvent moderation queues for their own uploads, and enumerate or delete other users' pending attachments without the required 'approve_posts' permission.

CVE-2026-39903 describes a critical authorization bypass vulnerability affecting Simple Machines Forum (SMF) versions 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5. The flaw originates from a single-character operator error within the Sources/Actions/AttachmentApprove.php file, which incorrectly causes the permission check to always pass. This vulnerability allows any authenticated user, even those with low privileges who lack the approve_posts permission, to gain unauthorized control over pending attachments across all forum boards. Attackers can leverage this to approve, reject, or delete any attachment awaiting moderation, bypass their own content submission queues, and enumerate or remove other users' uploaded files, potentially impacting content integrity and trust within the forum environment.

Attack Chain

  1. An attacker, as an authenticated low-privileged user, logs into a vulnerable Simple Machines Forum instance (version 2.1 prior to 2.1.8 or 3.0 prior to 3.0 Alpha 5).
  2. The attacker identifies pending attachments on any board within the forum.
  3. The attacker sends an HTTP POST request to the Sources/Actions/AttachmentApprove.php endpoint.
  4. The request includes parameters for approving, rejecting, or deleting a specific pending attachment, such as its ID and the desired action.
  5. Due to a single-character operator error in the server-side approve_posts permission check within AttachmentApprove.php, the authorization logic is bypassed.
  6. The server processes the attacker's request, treating the low-privileged user as if they had the necessary approve_posts permissions.
  7. The attacker successfully approves, rejects, or deletes the target pending attachment, bypassing moderation queues or manipulating other users' content.

Impact

Successful exploitation of CVE-2026-39903 grants low-privileged authenticated users unauthorized administrative capabilities over forum attachments. This can lead to a compromise of content integrity, as malicious or inappropriate attachments could be approved and published, or legitimate content could be deleted or rejected. Attackers can bypass content moderation processes, enabling them to upload and publish content without oversight. The ability to enumerate and delete other users' pending attachments can also lead to denial of service for legitimate users or expose information about pending content.

Recommendation

  • Patch CVE-2026-39903 immediately by upgrading Simple Machines Forum to version 2.1.8 or 3.0 Alpha 5.
  • Monitor web server logs for suspicious POST requests to the Sources/Actions/AttachmentApprove.php endpoint, especially if originating from accounts with low privileges.