CVE-2026-35183
Published: 06 April 2026
Summary
CVE-2026-35183 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Ajax30 Bravecms. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data Destruction (T1485); ranked at the 11.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations including ownership verification before permitting image deletion, directly preventing the IDOR exploitation in the deleteImage endpoint.
Requires explicit access control decisions for system resources like article images based on user ownership attributes, mitigating unauthorized cross-user deletions.
Applies least privilege to restrict edit permissions to only the requesting user's own articles and images, limiting the impact of missing ownership checks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The IDOR vulnerability directly enables unauthorized deletion of article images, allowing data destruction to disrupt content integrity and availability.
NVD Description
Brave CMS is an open-source CMS. Prior to 2.0.6, an Insecure Direct Object Reference (IDOR) vulnerability exists in the article image deletion feature. It is located in app/Http/Controllers/Dashboard/ArticleController.php within the deleteImage method. The endpoint accepts a filename from the URL…
more
but does not verify ownership. This allows an authenticated user with edit permissions to delete images attached to articles owned by other users. This vulnerability is fixed in 2.0.6.
Deeper analysisAI
CVE-2026-35183 is an Insecure Direct Object Reference (IDOR) vulnerability, classified under CWE-639, affecting Brave CMS, an open-source content management system, in versions prior to 2.0.6. The issue resides in the article image deletion feature, specifically within the `deleteImage` method of `app/Http/Controllers/Dashboard/ArticleController.php`. This endpoint accepts a filename directly from the URL parameter without verifying the requesting user's ownership of the associated article, enabling unauthorized image deletion. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L), indicating high integrity impact with low privileges required.
An attacker must be an authenticated user possessing edit permissions on the CMS platform to exploit this vulnerability over the network with low complexity and no user interaction needed. By supplying a manipulated filename in the deletion endpoint URL, the attacker can delete images attached to articles owned by other users, potentially disrupting content integrity and availability for those articles without affecting confidentiality.
The GitHub security advisory at https://github.com/Ajax30/BraveCMS-2.0/security/advisories/GHSA-cpf3-fxwg-cwr3 confirms the vulnerability and states that it is fully remediated in Brave CMS version 2.0.6, recommending immediate upgrades to patched versions for all affected installations.
Details
- CWE(s)