Primary

Context

Manyfold Missing Authorization Vulnerability in ModelFilesController Allows Unauthorized File Access and Conversion

Vulnerability

A vulnerability in Manyfold versions prior to 0.133.1 allows authenticated contributors to bypass authorization checks in the ModelFilesController. The 'get_model' method fails to use 'policy_scope()', enabling unauthorized access to models and their associated files. This oversight affects all model_files endpoints and allows contributors to modify, delete, and unlawfully convert files from models they do not own.

Impact

Exploitation of this vulnerability enables authenticated contributors to access, edit, and delete files from any model, including those in libraries outside their permission scope. Additionally, the vulnerability allows unauthorized conversion of files by any contributor, regardless of model ownership.

Remediation

Users can update to Manyfold version 0.133.1 to address this vulnerability.

Added: Feb 26, 2026, 11:24 PM

Updated: Feb 26, 2026, 11:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.6

exploitability

5.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.6

exploitability

5.2

remediation

0.0

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Manyfold Missing Authorization Vulnerability in ModelFilesController Allows Unauthorized File Access and Conversion

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating