Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
4.9

October CMS: Untrusted Users Can Access Sensitive Data

CVE-2026-22692 GHSA-m5qg-jc75-4jp6
Summary

Authenticated users with template editing permissions can access sensitive data on October CMS installations with the CMS_SAFE_MODE feature enabled. This affects some versions of the software, but can be fixed by updating to a patched version or disabling CMS_SAFE_MODE.

What to do
  • Update october rain to version 4.1.5.
  • Update october rain to version 3.7.13.
Affected software
Ecosystem VendorProductAffected versions
composer october rain >= 4.0.0, <= 4.1.4
<= 3.7.12
Fix: upgrade to 4.1.5
Original title
October Rain has a Twig Sandbox Bypass via Collection Methods
Original description
A sandbox bypass vulnerability was identified in the optional Twig safe mode feature (`CMS_SAFE_MODE`). Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections.

### Impact
- Bypass of Twig sandbox restrictions
- Only affects installations with `CMS_SAFE_MODE` enabled (disabled by default)
- Requires authenticated backend access with CMS template editing permissions

### Patches
The vulnerability has been patched in v4.1.5 and v3.7.13. All users who have enabled safe mode are encouraged to upgrade to the latest patched version.

### Workarounds
If upgrading immediately is not possible:
- Disable `CMS_SAFE_MODE` if untrusted template editing is not required
- Restrict CMS template editing permissions to fully trusted administrators only

### References
- Reported by Łukasz Rybak
nvd CVSS3.1 4.9
Vulnerability type
CWE-284 Improper Access Control
CWE-693 Protection Mechanism Failure
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026