Publify - Improper Authorization Leads to Guest Signup Restriction Bypass
Description
In Publify, 9.0.0.pre1 to 9.2.4 are vulnerable to Improper Access Control. “guest” role users can self-register even when the admin does not allow. This happens due to front-end restriction only.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Publify 9.0.0.pre1 to 9.2.4 allows guest users to self-register even when admin disables signup, due to missing server-side access control.
Vulnerability
In Publify versions 9.0.0.pre1 through 9.2.4, the registration feature lacks server-side access control. The allow_signup setting is only enforced on the front-end; the back-end does not prevent guest users from submitting registration requests. This affects the Devise::RegistrationsController which is used without a custom before_action to check the blog setting [1][3].
Exploitation
An attacker with network access to a Publify instance can self-register by sending a POST request to the user registration endpoint, even if the administrator has disabled sign-up via the blog settings. No authentication or special privileges are required. The attacker simply visits the registration page or directly sends a crafted HTTP request to /users [1][3].
Impact
A successful exploitation allows an unauthenticated attacker to create a user account with the default "contributor" role. This bypasses the administrator's intended restriction, potentially leading to unauthorized access to the platform. The account can then be used to perform actions within the contributor's privileges, such as creating blog posts or comments, depending on the site's configuration [1][4].
Mitigation
The fix was implemented in commit 3447e02 and released in Publify version 9.2.5. The commit adds a custom Users::RegistrationsController with a before_action :require_signup_allowed that checks the allow_signup blog setting on the server side and returns a 404 status if registration is disabled [3]. Users should upgrade to version 9.2.5 or later. No other workarounds are documented in the available references [1][3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
publify_coreRubyGems | >= 9.0.0.pre1, < 9.2.5 | 9.2.5 |
Affected products
3- osv-coords2 versions
>= 9.0.0, < 9.2.4+ 1 more
- (no CPE)range: >= 9.0.0, < 9.2.4
- (no CPE)range: >= 9.0.0.pre1, < 9.2.5
- publify_core/publify_corev5Range: 9.0.0.pre1
Patches
13447e0241e92Disallow registration rather than hiding it
4 files changed · +28 −5
publify_core/app/controllers/users/registrations_controller.rb+12 −0 added@@ -0,0 +1,12 @@ +# frozen_string_literal: true + +class Users::RegistrationsController < Devise::RegistrationsController + include BlogHelper + before_action :require_signup_allowed + + private + + def require_signup_allowed + render plain: "Not found", status: :not_found unless this_blog.allow_signup? + end +end
publify_core/config/routes.rb+2 −1 modified@@ -1,7 +1,8 @@ # frozen_string_literal: true Rails.application.routes.draw do - devise_for :users + devise_for :users, controllers: { registrations: "users/registrations" } + # TODO: use only in archive sidebar. See how made other system get ":year/:month", to: "articles#index", year: /\d{4}/, month: /\d{1,2}/, as: "articles_by_month", format: false
publify_core/Manifest.txt+1 −0 modified@@ -142,6 +142,7 @@ app/controllers/tags_controller.rb app/controllers/text_controller.rb app/controllers/textfilter_controller.rb app/controllers/theme_controller.rb +app/controllers/users/registrations_controller.rb app/controllers/xml_controller.rb app/helpers/admin/base_helper.rb app/helpers/admin/feedback_helper.rb
publify_core/spec/features/signup_spec.rb+13 −4 modified@@ -4,9 +4,6 @@ RSpec.feature "Signing up", type: :feature do before do - stub_request(:get, - "http://www.google.com/search?output=rss&q=link:www.example.com&tbm=blg"). - to_return(status: 200, body: "", headers: {}) load Rails.root.join("db/seeds.rb") Blog.first.update(blog_name: "Awesome!", base_url: "http://www.example.com/", @@ -40,6 +37,18 @@ expect(page).to have_text I18n.t!("devise.sessions.signed_in") # Confirm proper setting fo user properties - expect(User.last.email).to eq "hello@hello.com" + u = User.last + expect(u.email).to eq "hello@hello.com" + expect(u.profile).to eq "contributor" + end + + scenario "Disallow account sign-up link with a blog setting" do + Blog.first.update(allow_signup: 0) + visit admin_dashboard_path + expect(page).not_to have_link I18n.t("accounts.create_account") + + visit new_user_registration_path + + expect(page.status_code).to eq 404 end end
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-x24j-87x9-jvv5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-25973ghsaADVISORY
- github.com/publify/publify/commit/3447e0241e921b65f6eb1090453d8ea73e98387eghsax_refsource_MISCWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/publify_core/CVE-2021-25973.ymlghsaWEB
- www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25973ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.