Authorization Bypass in Simple Machines Forum by Simple Machines
CVE-2026-39903

7.1HIGH

Key Information:

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-39903?

The authorization bypass vulnerability in Simple Machines Forum versions 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 arises from a single-character operator error in the AttachmentApprove.php file. This flaw permits authenticated low-privileged users to approve, reject, or delete any pending attachments across all boards without the necessary permissions. As a result, users can bypass moderation queues for their own uploads and gain unauthorized access to manage other users' pending attachments, leading to potential misuse and exposure of sensitive content.

Affected Version(s)

SMF 2.1.0

SMF 2.1.0 < 2.1.8

SMF 3.0.0 < 3.0.0 Alpha 5

References

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Elure (Marasescu Mihnea-Luca)
VulnCheck
.