{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/simple-machines-forum/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39903"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Simple Machines Forum 2.1","Simple Machines Forum 3.0"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["Simple Machines Forum"],"content_html":"\u003cp\u003eCVE-2026-39903 describes a critical authorization bypass vulnerability affecting Simple Machines Forum (SMF) versions 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5. The flaw originates from a single-character operator error within the \u003ccode\u003eSources/Actions/AttachmentApprove.php\u003c/code\u003e file, which incorrectly causes the permission check to always pass. This vulnerability allows any authenticated user, even those with low privileges who lack the \u003ccode\u003eapprove_posts\u003c/code\u003e permission, to gain unauthorized control over pending attachments across all forum boards. Attackers can leverage this to approve, reject, or delete any attachment awaiting moderation, bypass their own content submission queues, and enumerate or remove other users' uploaded files, potentially impacting content integrity and trust within the forum environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker, as an authenticated low-privileged user, logs into a vulnerable Simple Machines Forum instance (version 2.1 prior to 2.1.8 or 3.0 prior to 3.0 Alpha 5).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies pending attachments on any board within the forum.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP POST request to the \u003ccode\u003eSources/Actions/AttachmentApprove.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes parameters for approving, rejecting, or deleting a specific pending attachment, such as its ID and the desired action.\u003c/li\u003e\n\u003cli\u003eDue to a single-character operator error in the server-side \u003ccode\u003eapprove_posts\u003c/code\u003e permission check within \u003ccode\u003eAttachmentApprove.php\u003c/code\u003e, the authorization logic is bypassed.\u003c/li\u003e\n\u003cli\u003eThe server processes the attacker's request, treating the low-privileged user as if they had the necessary \u003ccode\u003eapprove_posts\u003c/code\u003e permissions.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully approves, rejects, or deletes the target pending attachment, bypassing moderation queues or manipulating other users' content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39903 grants low-privileged authenticated users unauthorized administrative capabilities over forum attachments. This can lead to a compromise of content integrity, as malicious or inappropriate attachments could be approved and published, or legitimate content could be deleted or rejected. Attackers can bypass content moderation processes, enabling them to upload and publish content without oversight. The ability to enumerate and delete other users' pending attachments can also lead to denial of service for legitimate users or expose information about pending content.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-39903 immediately by upgrading Simple Machines Forum to version 2.1.8 or 3.0 Alpha 5.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the \u003ccode\u003eSources/Actions/AttachmentApprove.php\u003c/code\u003e endpoint, especially if originating from accounts with low privileges.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T17:20:31Z","date_published":"2026-07-10T17:20:31Z","id":"https://feed.craftedsignal.io/briefs/2026-07-smf-authz-bypass/","summary":"An authorization bypass vulnerability, CVE-2026-39903, exists in Simple Machines Forum versions 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5, allowing a low-privileged, authenticated user to exploit a single-character operator error in 'Sources/Actions/AttachmentApprove.php' to bypass permission checks, enabling them to approve, reject, or delete any pending attachments across boards, circumvent moderation queues for their own uploads, and enumerate or delete other users' pending attachments without the required 'approve_posts' permission.","title":"Simple Machines Forum Authorization Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-smf-authz-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Simple Machines Forum","version":"https://jsonfeed.org/version/1.1"}