PT-2026-34005 · October · October
Published
2026-04-21
·
Updated
2026-04-28
·
CVE-2026-29179
CVSS v3.1
3.3
Low
| Vector | AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
October versions prior to 3.7.16
October versions prior to 4.1.16
Description
Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This allows backend users who have editor access but have
editor.cms assets or editor.tailor blueprints specifically withheld to perform file operations such as create, delete, rename, move, and upload on theme assets or blueprint files. Additionally, an operator precedence error in the Tailor navigation discloses the theme blueprint directory tree under these same conditions.Recommendations
Update to version 3.7.16.
Update to version 4.1.16.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
October