CVE-2026-24900

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b	Patch
https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1	Product Release Notes
https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 20:08

NVD link : CVE-2026-24900

Mitre link : CVE-2026-24900

CVE.ORG link : CVE-2026-24900

JSON object : View

Products Affected

markusproject

markus

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

{"id": "CVE-2026-24900", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-02-09T20:15:56.387", "references": [{"url": "https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-639"}]}], "descriptions": [{"lang": "en", "value": "MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1."}, {"lang": "es", "value": "MarkUs es una aplicaci\u00f3n web para la entrega y calificaci\u00f3n de tareas de estudiantes. Antes de 2.9.1, la ruta courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content aceptaba un par\u00e1metro select_file_id para servir objetos SubmissionFile que conten\u00edan un registro de los archivos entregados por los estudiantes. Este par\u00e1metro no estaba correctamente acotado al usuario solicitante, permitiendo a los usuarios acceder a contenidos arbitrarios de archivos de entrega por ID. Esta vulnerabilidad est\u00e1 corregida en 2.9.1."}], "lastModified": "2026-02-19T20:08:14.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:markusproject:markus:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D6B2B7B-F46C-4CEE-86D4-B25D3746747A", "versionEndExcluding": "2.9.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}