CVE-2026-33486

Name of the Vulnerable Software and Affected Versions Roadiz versions prior to 2.7.9 Roadiz versions prior to 2.6.28 Roadiz versions prior to 2.5.44 Roadiz versions prior to 2.3.42

Description Roadiz is a polymorphic content management system based on a node system. A flaw in the RZRoadizDocumentsDownloadedFile::fromUrl() function allows an authenticated attacker with ROLE ACCESS DOCUMENTS privileges to read any file on the server's local file system that the web server process has access to. This includes sensitive data like environment variables, database credentials, and internal configuration files. The issue arises because the application uses PHP's fopen() function without proper validation or sanitization of the URL parameter, allowing the use of the file:// stream wrapper to access local files. An attacker can exploit this by crafting a malicious XML feed, such as a Podcast RSS feed, with a file:// URI pointing to a sensitive system file. This forces the CMS to read the internal file and make it available as a downloadable document within the Media Manager. Exploitation can lead to a total loss of confidentiality for the web application and underlying operating system, potentially enabling application compromise, system enumeration, and cloud environment compromise.

Recommendations Versions prior to 2.7.9: Upgrade to version 2.7.9 or later. Versions prior to 2.6.28: Upgrade to version 2.6.28 or later. Versions prior to 2.5.44: Upgrade to version 2.5.44 or later. Versions prior to 2.3.42: Upgrade to version 2.3.42 or later.