CVE-2026-28225 PUBLISHED

Manyfold has IDOR in ModelFilesController

Assigner: GitHub_M
Reserved: 25.02.2026 Published: 26.02.2026 Updated: 26.02.2026

Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the get_model method in ModelFilesController (line 158-160) loads models using Model.find_param(params[:model_id]) without policy_scope(), bypassing Pundit authorization. All other controllers correctly use policy_scope(Model).find_param() (e.g., ModelsController line 263). Version 0.133.1 fixes the issue.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS Score: 5.3

Product Status

Vendor manyfold3d
Product manyfold
Versions
  • Version < 0.133.1 is affected

References

Problem Types

  • CWE-639: Authorization Bypass Through User-Controlled Key CWE