CVE-2023-37649

Vulnerability

Overview CVE-2023-37649 is an Insecure Direct Object Reference (IDOR) vulnerability in Cockpit CMS v2.5.2, specifically in the /models/Content component. The root cause lies in the Content API's handling of relational mappings: when populating related model data, the API fails to verify whether the requesting user has permission to access those related models. This allows an attacker to bypass intended access controls and retrieve data from any content model in the system [1].

Exploitation

An attacker with network access to the Cockpit CMS admin API can exploit this vulnerability by crafting requests to the /api/content/items/{model} endpoint and manipulating relational field references. Because MongoDB Object IDs are predictable, the attacker can enumerate and fetch content from models they are not authorized to view. No special privileges are required beyond the ability to make authenticated API calls (or possibly unauthenticated access, depending on configuration) [1].

Impact

Successful exploitation leads to unauthorized disclosure of sensitive data stored in any content model, including private collections, user information, or other restricted content. This information disclosure can compromise the confidentiality of the CMS and its managed data.

Mitigation

The vulnerability was patched in Cockpit CMS v2.6.0, which adds proper permission checks when populating relational mappings in the Content API [4]. Users are strongly advised to upgrade to this version or later. No workarounds are documented, but restricting network access to the admin API and implementing additional authentication layers may reduce risk.