Docmost Wiki Software Exposes Sensitive Content to Public View

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

4.3

Docmost Wiki Software Exposes Sensitive Content to Public View

CVE-2026-33146

Summary

If you're using Docmost version 0.70.0 through 0.70.2, an unauthorized user can see sensitive information in your wiki by using the search function. This is a confidentiality breach, meaning private information might be exposed. Update to version 0.70.3 to fix this issue.

Original title

Original description

Docmost is open-source collaborative wiki and documentation software. An authorization bypass vulnerability in versions 0.70.0 through 0.70.2 exposes restricted child page titles and text snippets through the public search endpoint (`POST /api/search/share-search`) for publicly shared content. This flaw allows unauthenticated users to enumerate and retrieve content that should remain hidden from public share viewers, leading to a confidentiality breach. Version 0.70.3 contains a patch.

nvd CVSS3.1 4.3

Vulnerability type

CWE-285 Improper Authorization

https://github.com/docmost/docmost/security/advisories/GHSA-qq4c-8rjr-w42c

Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026