Intel

AIKIDO-2026-700291

django-cms is vulnerable to Missing Authorization

Missing AuthorizationCVE-2026-61663 Published Today

43

Medium Risk

This Affects:

PYTHONdjango-cms
4.1.0 - 5.0.8
Fixed in 5.0.9
Are you affected? Scan for Free

TL;DR

The frontend-editing structure endpoint served by render_object_structure performs an object-level authorization check for PageContent objects but not for other frontend-editable models using PlaceholderRelationField. Any authenticated, active staff user can request the structure URL for a non-PageContent object and read its placeholder and plugin structure without change permission and without the cms.use_structure permission. This discloses placeholder slot names, the plugin tree, plugin identifiers, and object existence for objects the user is not authorized to edit. The fix authorizes the non-PageContent branch and returns 404 when the user is not permitted to view the object's placeholder source.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your deployment exposes non-PageContent frontend-editable models via PlaceholderRelationField.

Background info

django-cms is vulnerable to Missing Authorization in versions 4.1.0 - 5.0.8.

How to fix this

Upgrade the django-cms library to the patch version.