CVE-2026-24732 - Vulnerability Details

Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0.

HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

Make sure $wgGroupPermissions['*']['read'] is set to false in the LocalSettings.php.

References

Link	Providers
https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2026-02

History

Wed, 04 Mar 2026 13:15:00 +0000

Type	Values Removed	Values Added
Description	Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.5, from 5.2 through 5.2.0.	Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.3, from 5.2 through 5.2.0. HINT: Versions provided apply to BlueSpice MediaWiki releases. For Extension:NSFileRepo the affected versions are 3.0 < 3.0.5

Wed, 04 Mar 2026 12:30:00 +0000

Type	Values Removed	Values Added
Description		Files or Directories Accessible to External Parties, Incorrect Permission Assignment for Critical Resource vulnerability in Hallo Welt! GmbH BlueSpice (Extension:NSFileRepo modules) allows Accessing Functionality Not Properly Constrained by ACLs, Bypassing Electronic Locks and Access Controls.This issue affects BlueSpice: from 5.1 through 5.1.5, from 5.2 through 5.2.0.
Title		Improper permission checks in Extension:NSFileRepo
Weaknesses		CWE-552 CWE-732
References		https://en.wiki.bluespice.com/wiki/Security:Security_Advisories/BSSA-2026-02
Metrics		cvssV4_0 `{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:P/AU:Y/RE:L'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: HW

Published: 2026-03-04T12:13:09.918Z

Updated: 2026-03-04T14:27:00.797Z

Reserved: 2026-02-06T14:21:19.100Z

Link: CVE-2026-24732

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-04T13:15:58.287

Modified: 2026-03-04T13:15:58.287

Link: CVE-2026-24732

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object