CVE-2026-29179
October CMS: Editor Sub-Permission Bypass for Asset and Blueprint File Operations
Description
Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This only affects backend users who were explicitly granted `editor` access but had `editor.cms_assets` or `editor.tailor_blueprints` specifically withheld, an uncommon permission configuration. In this edge case, such users could perform file operations (create, delete, rename, move, upload) on theme assets or blueprint files despite lacking the required sub-permission. A related operator precedence error in the Tailor navigation also disclosed the theme blueprint directory tree under the same conditions. ### Impact - Only exploitable by authenticated backend users with `editor` access who have been specifically denied the `editor.cms_assets` or `editor.tailor_blueprints` sub-permissions - Does not affect default permission configurations where editor users typically have all sub-permissions granted - Users without `editor.cms_assets` could manipulate theme asset files (delete, rename, move, upload, create directories) - Users without `editor.tailor_blueprints` could manipulate blueprint files (delete, rename, move, upload, create directories) - Users without `editor.tailor_blueprints` could view the theme blueprint navigation tree, disclosing file paths and directory structure ### Patches The vulnerability has been patched in v3.7.16 and v4.1.16. Fine-grained document type permission checks are now enforced on all asset and blueprint file operation commands, and the navigation node condition logic has been corrected. All users are encouraged to upgrade to the latest patched version. ### Workarounds - Restrict the `editor` permission to fully trusted administrators only - Remove the `editor` permission from any user who should not have asset or blueprint management access
How to fix CVE-2026-29179
To remediate CVE-2026-29179, upgrade the affected package to a fixed version below.
- —upgrade to 4.1.16 or later
Is CVE-2026-29179 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.