CVE-2026-28225

Name of the Vulnerable Software and Affected Versions Manyfold versions prior to 0.133.1

Description Manyfold is a self-hosted web application for managing 3d models. A flaw exists in the get model method within the ModelFilesController (lines 158-160) where models are loaded using Model.find param(params[:model id]) without proper authorization checks via policy scope(). This bypasses Pundit authorization, potentially allowing unauthorized access to models. Other controllers correctly implement authorization using policy scope(Model).find param(). The model id parameter is involved in this issue.

Recommendations Update to version 0.133.1 or later.