CVE-2026-39903 (GCVE-0-2026-39903)
Vulnerability from cvelistv5 – Published: 2026-07-10 16:03 – Updated: 2026-07-14 20:19 X_Open Source
VLAI
EPSS
VEX
Title
Simple Machines Forum Authorization Bypass via AttachmentApprove.php
Summary
Simple Machines Forum 2.1 prior to commit 7d048f8 and 3.0 prior to commit a7875e8 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated low-privileged user can approve, reject, or delete any pending attachments on any board without holding the required approve_posts permission, bypass moderation queues for their own uploads, and enumerate and delete other users' pending attachments.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
5 references
| URL | Tags |
|---|---|
| https://github.com/SimpleMachines/SMF/pull/9182 | issue-tracking |
| https://github.com/SimpleMachines/SMF/pull/9181 | issue-tracking |
| https://github.com/SimpleMachines/SMF/commit/7d04… | patch |
| https://github.com/SimpleMachines/SMF/commit/a787… | patch |
| https://www.vulncheck.com/advisories/simple-machi… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SimpleMachines | SMF |
Affected:
2.1.0 , ≤ 2.1.7
(semver)
Unaffected: 7d048f8d66aab9af51cd6ee110fbad103cf673e8 (git) Affected: 3.0.0 (semver) Unaffected: a7875e876a647572dd4c45da881b875092caac3d (git) |
Date Public
2026-04-07 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39903",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T01:56:17.608329Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T01:57:00.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"packageURL": "pkg:github/SimpleMachines/SMF",
"product": "SMF",
"repo": "https://github.com/SimpleMachines/SMF",
"vendor": "SimpleMachines",
"versions": [
{
"lessThanOrEqual": "2.1.7",
"status": "affected",
"version": "2.1.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "7d048f8d66aab9af51cd6ee110fbad103cf673e8",
"versionType": "git"
},
{
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
},
{
"status": "unaffected",
"version": "a7875e876a647572dd4c45da881b875092caac3d",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Elure (Marasescu Mihnea-Luca)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulnCheck"
}
],
"datePublic": "2026-04-07T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Simple Machines Forum 2.1 prior to commit 7d048f8 and 3.0 prior to commit a7875e8 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated low-privileged user can approve, reject, or delete any pending attachments on any board without holding the required approve_posts permission, bypass moderation queues for their own uploads, and enumerate and delete other users\u0027 pending attachments."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T20:19:33.132Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "Pull Request (v2.1)",
"tags": [
"issue-tracking"
],
"url": "https://github.com/SimpleMachines/SMF/pull/9182"
},
{
"name": "Pull Request (v3.0)",
"tags": [
"issue-tracking"
],
"url": "https://github.com/SimpleMachines/SMF/pull/9181"
},
{
"name": "Patch Commit (v2.1)",
"tags": [
"patch"
],
"url": "https://github.com/SimpleMachines/SMF/commit/7d048f8d66aab9af51cd6ee110fbad103cf673e8"
},
{
"name": "Patch Commit (v3.0)",
"tags": [
"patch"
],
"url": "https://github.com/SimpleMachines/SMF/commit/a7875e876a647572dd4c45da881b875092caac3d"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/simple-machines-forum-authorization-bypass-via-attachmentapprove-php"
}
],
"source": {
"discovery": "UNKNOWN"
},
"tags": [
"x_open-source"
],
"title": "Simple Machines Forum Authorization Bypass via AttachmentApprove.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-39903",
"datePublished": "2026-07-10T16:03:20.983Z",
"dateReserved": "2026-04-07T20:57:06.209Z",
"dateUpdated": "2026-07-14T20:19:33.132Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-39903",
"date": "2026-07-15",
"epss": "0.00333",
"percentile": "0.25457"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-39903\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-07-10T17:16:57.230\",\"lastModified\":\"2026-07-14T21:16:46.467\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Simple Machines Forum 2.1 prior to commit 7d048f8 and 3.0 prior to commit a7875e8 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated low-privileged user can approve, reject, or delete any pending attachments on any board without holding the required approve_posts permission, bypass moderation queues for their own uploads, and enumerate and delete other users\u0027 pending attachments.\"}],\"affected\":[{\"source\":\"disclosure@vulncheck.com\",\"affectedData\":[{\"vendor\":\"SimpleMachines\",\"product\":\"SMF\",\"defaultStatus\":\"affected\",\"repo\":\"https://github.com/SimpleMachines/SMF\",\"packageURL\":\"pkg:github/SimpleMachines/SMF\",\"versions\":[{\"version\":\"2.1.0\",\"lessThanOrEqual\":\"2.1.7\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"7d048f8d66aab9af51cd6ee110fbad103cf673e8\",\"versionType\":\"git\",\"status\":\"unaffected\"},{\"version\":\"3.0.0\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"a7875e876a647572dd4c45da881b875092caac3d\",\"versionType\":\"git\",\"status\":\"unaffected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"LOW\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":2.8,\"impactScore\":4.2}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-14T01:56:17.608329Z\",\"id\":\"CVE-2026-39903\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"no\"},{\"technicalImpact\":\"partial\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"references\":[{\"url\":\"https://github.com/SimpleMachines/SMF/commit/7d048f8d66aab9af51cd6ee110fbad103cf673e8\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/SimpleMachines/SMF/commit/a7875e876a647572dd4c45da881b875092caac3d\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/SimpleMachines/SMF/pull/9181\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://github.com/SimpleMachines/SMF/pull/9182\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://www.vulncheck.com/advisories/simple-machines-forum-authorization-bypass-via-attachmentapprove-php\",\"source\":\"disclosure@vulncheck.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39903\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-14T01:56:17.608329Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-14T01:56:57.240Z\"}}], \"cna\": {\"tags\": [\"x_open-source\"], \"title\": \"Simple Machines Forum Authorization Bypass via AttachmentApprove.php\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Elure (Marasescu Mihnea-Luca)\"}, {\"lang\": \"en\", \"type\": \"coordinator\", \"value\": \"VulnCheck\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 7.1, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"LOW\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/SimpleMachines/SMF\", \"vendor\": \"SimpleMachines\", \"product\": \"SMF\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.1.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"2.1.7\"}, {\"status\": \"unaffected\", \"version\": \"7d048f8d66aab9af51cd6ee110fbad103cf673e8\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"a7875e876a647572dd4c45da881b875092caac3d\", \"versionType\": \"git\"}], \"packageURL\": \"pkg:github/SimpleMachines/SMF\", \"defaultStatus\": \"affected\"}], \"datePublic\": \"2026-04-07T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/SimpleMachines/SMF/pull/9182\", \"name\": \"Pull Request (v2.1)\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/SimpleMachines/SMF/pull/9181\", \"name\": \"Pull Request (v3.0)\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://github.com/SimpleMachines/SMF/commit/7d048f8d66aab9af51cd6ee110fbad103cf673e8\", \"name\": \"Patch Commit (v2.1)\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/SimpleMachines/SMF/commit/a7875e876a647572dd4c45da881b875092caac3d\", \"name\": \"Patch Commit (v3.0)\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/simple-machines-forum-authorization-bypass-via-attachmentapprove-php\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Simple Machines Forum 2.1 prior to commit 7d048f8 and 3.0 prior to commit a7875e8 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated low-privileged user can approve, reject, or delete any pending attachments on any board without holding the required approve_posts permission, bypass moderation queues for their own uploads, and enumerate and delete other users\u0027 pending attachments.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-07-14T20:19:33.132Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-39903\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-14T20:19:33.132Z\", \"dateReserved\": \"2026-04-07T20:57:06.209Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-07-10T16:03:20.983Z\", \"assignerShortName\": \"VulnCheck\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…