CVE-2026-10715
Description
Camaleon CMS 2.9.2 administrator draft autosave endpoint allows low-privileged users to overwrite other users' drafts by supplying an arbitrary post_id.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Camaleon CMS 2.9.2 administrator draft autosave endpoint allows low-privileged users to overwrite other users' drafts by supplying an arbitrary post_id.
Vulnerability
Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint [2]. The DraftsController's create and update methods trust the client-controlled post_id parameter to locate an existing draft and update it without verifying that the current user owns or has permission to edit the parent post. The vulnerable endpoint is accessible via POST /admin/post_type/<POST_TYPE_ID>/drafts.
Exploitation
A low-privileged authenticated user can send a crafted POST request to /admin/post_type/<POST_TYPE_ID>/drafts with an arbitrary post_id value targeting another user's draft. The server retrieves the draft associated with the provided parent post ID and overwrites its content without authorization checks.
Impact
Successful exploitation compromises content integrity. The overwritten draft may later be reviewed or published by an authorized editor or administrator, potentially leading to unintended or malicious content being displayed.
Mitigation
No official patch or fixed version has been disclosed in the available references [2]. Users are advised to restrict access to the /admin/post_type/*/drafts endpoint or implement custom authorization checks. There is no indication that this CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 2.9.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization check in the draft autosave endpoint allows a low-privileged user to overwrite another user's draft by supplying an arbitrary post_id."
Attack vector
A low-privileged authenticated user (User B) can overwrite another user's draft by sending a forged POST request to the draft autosave endpoint with an arbitrary `post_id` belonging to the victim (User A). The endpoint lacks authorization checks — it never invokes `authorize! :update, parent_post` and does not restrict draft lookups to posts the current user is permitted to edit [ref_id=2]. The attacker only needs a valid session cookie and CSRF token for the admin area; no special `edit_other` permission is required.
Affected code
The vulnerable endpoint is `POST /admin/post_type/<POST_TYPE_ID>/drafts`, handled by `app/controllers/camaleon_cms/admin/posts/drafts_controller.rb` (lines 11-23). The controller never calls `authorize! :update, parent_post` and does not scope the draft lookup to posts the current user may edit, unlike the normal update flow in `app/controllers/camaleon_cms/admin/posts_controller.rb` (lines 74-132) which enforces the `edit_other` permission [ref_id=2].
What the fix does
The advisory states that no patch is currently available [ref_id=2]. To remediate the vulnerability, the `DraftsController#create` action must call `authorize! :update, parent_post` before saving a draft, and should scope the draft lookup to posts the current user is authorized to edit, consistent with the authorization model enforced in `PostsController` [ref_id=2].
Preconditions
- authThe attacker must be authenticated with a valid session cookie and CSRF token for the admin area.
- inputThe victim (User A) must have a post that has an associated draft.
- inputThe attacker must know or guess the victim's post_id.
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.