CVE-2026-24732 PUBLISHED

Improper permission checks in Extension:NSFileRepo

Assigner: HW
Reserved: 06.02.2026 Published: 04.03.2026 Updated: 04.03.2026

Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0.

HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/RE:L
CVSS Score: 6.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	None	Integrity	None
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Hallo Welt! GmbH
Product	BlueSpice
Versions	Default: affected affected from 5.1 to 5.1.3 (incl.) affected from 5.2 to 5.2.0 (incl.)

Workarounds

Make sure $wgGroupPermissions['*']['read'] is set to false in the LocalSettings.php.

References

https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2026-02

Problem Types

CWE-552 Files or Directories Accessible to External Parties CWE
CWE-732 Incorrect Permission Assignment for Critical Resource CWE

Impacts

CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs
CAPEC-395 Bypassing Electronic Locks and Access Controls