Authorization Bypass in Simple Machines Forum by Simple Machines
CVE-2026-39903
7.1HIGH
What is CVE-2026-39903?
The authorization bypass vulnerability in Simple Machines Forum versions 2.1 before 2.1.8 and 3.0 before 3.0 Alpha 5 arises from a single-character operator error in the AttachmentApprove.php file. This flaw permits authenticated low-privileged users to approve, reject, or delete any pending attachments across all boards without the necessary permissions. As a result, users can bypass moderation queues for their own uploads and gain unauthorized access to manage other users' pending attachments, leading to potential misuse and exposure of sensitive content.
Affected Version(s)
SMF 2.1.0
SMF 2.1.0 < 2.1.8
SMF 3.0.0 < 3.0.0 Alpha 5
