BookStack Chapter Export Improper Access Control Vulnerability

A vulnerability exists in BookStackApp BookStack versions prior to 26.03. Chapter export functionality in the ExportFormatter component fails to properly enforce access controls, allowing unauthorized content to be exported. This issue arises because the chapterToMarkdown method uses a raw Eloquent relationship that includes all pages, bypassing permission filters. As a result, pages that should be hidden due to permissions can be accessed during markdown exports. The vulnerability can be exploited remotely by authenticated users with the content-export permission.

Impact

Exploitation of this vulnerability allows for a direct authorization bypass, exposing restricted content from chapters, including pages that the user is explicitly denied access to.

Reproduction

To reproduce this vulnerability, an authenticated user with the content-export permission can request the markdown export of a chapter that contains pages they do not have permission to access. The export will include the full content of those pages, bypassing the intended access controls.

Remediation

Users are advised to upgrade to BookStack version 26.03.1, which addresses this vulnerability by restoring proper permission handling in the chapter export feature.