VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-50885

CVE-2026-50885

Description

Unauthenticated attackers can bypass read authorization in Sismics Docs (Teedy) v1.11 by supplying a reserved share parameter value, gaining access to protected document data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated attackers can bypass read authorization in Sismics Docs (Teedy) v1.11 by supplying a reserved share parameter value, gaining access to protected document data.

Vulnerability

A flaw in the ACL evaluation for share-based read endpoints in Sismics Docs (Teedy) version 1.11 allows an attacker to bypass authorization checks. The BaseResource.getTargetIdList(shareId) method appends the untrusted share query parameter directly to the ACL target list. The AclDao.checkPermission(...) method calls SecurityUtil.skipAclCheck(targetIdList), which returns true when the target list contains the literal identifiers admin or administrators. Because the request-controlled share value can be one of these reserved strings, read authorization is skipped without requiring a valid share object. Affected read paths include document view, file list, file download, file ZIP export, exported document output, and comment listing. [1]

Exploitation

An unauthenticated attacker only needs to know a valid document or file identifier (e.g., a documentId or fileId) that should not be accessible. The attacker sends a read request to an affected endpoint (e.g., GET /api/document/?share=admin or GET /api/file//data?share=administrators). The server evaluates the ACL target list containing the reserved string, skips the actual ACL check, and returns the protected data. No prior authentication or valid share token is required. [1]

Impact

Successful exploitation grants unauthorized read access to document metadata, comments, attachment listings, exported PDFs, and file contents from share-capable read endpoints. An attacker can retrieve sensitive information stored in Teedy documents without any valid credentials. [1]

Mitigation

No fix or patch has been disclosed in the available reference. Users of Sismics Docs (Teedy) v1.11 should monitor for official updates. As a workaround, if source code access is available, the SecurityUtil.skipAclCheck function could be modified to reject reserved strings from untrusted input, or the share parameter could be validated against known share objects before being added to the target list. The vulnerability is not listed in CISA KEV as of publication. [1]

References
  1. Reference for CVE-2026-50885

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The raw `share` query parameter is appended to the ACL target list without validation, allowing reserved identifiers (`admin`, `administrators`) to trigger an ACL-skip shortcut."

Attack vector

An unauthenticated attacker who knows a valid document or file identifier can append `?share=admin` or `?share=administrators` to any share-capable read endpoint (e.g., `/api/document/<id>`, `/api/file/<id>/data`). Because `SecurityUtil.skipAclCheck` treats these reserved strings as a signal to skip ACL verification, the server returns protected data without requiring a legitimate share token [ref_id=1].

Affected code

The vulnerability resides in `BaseResource.getTargetIdList(shareId)`, which appends the raw `share` query parameter to the ACL target list without sanitization. `SecurityUtil.skipAclCheck(targetIdList)` then returns `true` when that list contains the reserved identifiers `admin` or `administrators`, bypassing the real ACL check in `AclDao.checkPermission(...)` [ref_id=1].

What the fix does

The advisory does not include a patch diff. The recommended fix is to validate that the `share` parameter corresponds to a real, existing share object before adding it to the ACL target list, or to reject reserved identifiers such as `admin` and `administrators` outright [ref_id=1]. Without such validation, any request carrying one of those literal strings bypasses the permission check entirely.

Preconditions

  • inputAttacker must know a valid documentId or fileId on the target Teedy 1.11 instance
  • configThe affected read endpoint must accept the `share` query parameter

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.