Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Manyfold 3D Model Manager: Unauthorized Model Access Before 0.133.1
CVE-2026-28225
Summary
A security issue in Manyfold allowed unauthorized users to access 3D models. This happened because the app didn't properly check permissions before loading a model. To fix this, update Manyfold to version 0.133.1 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| manyfold | manyfold | <= 0.133.1 | – |
Original title
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesC...
Original description
Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Prior to version 0.133.1, the `get_model` method in `ModelFilesController` (line 158-160) loads models using `Model.find_param(params[:model_id])` without `policy_scope()`, bypassing Pundit authorization. All other controllers correctly use `policy_scope(Model).find_param()` (e.g., `ModelsController` line 263). Version 0.133.1 fixes the issue.
nvd CVSS3.1
6.5
Vulnerability type
CWE-639
Authorization Bypass Through User-Controlled Key
- https://github.com/manyfold3d/manyfold/releases/tag/v0.133.1 Product Release Notes
- https://github.com/manyfold3d/manyfold/security/advisories/GHSA-v8pw-3r2f-3fqm Mitigation Vendor Advisory Exploit
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026