Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Feb 27, 2026

Manyfold has IDOR in ModelFilesController

CVE-2026-28225

Description

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the get_model method in ModelFilesController (line 158-160) loads models using Model.find_param(params[:model_id]) without policy_scope(), bypassing Pundit authorization. All other controllers correctly use policy_scope(Model).find_param() (e.g., ModelsController line 263). Version 0.133.1 fixes the issue.

Affected products

Manyfold3d/Manyfoldllm-fuzzy2 versions
<0.133.1+ 1 more
- (no CPE)range: <0.133.1
- (no CPE)range: < 0.133.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/manyfold3d/manyfold/releases/tag/v0.133.1mitrex_refsource_MISC
github.com/manyfold3d/manyfold/security/advisories/GHSA-v8pw-3r2f-3fqmmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000