This vulnerability allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files.
| Field | Details |
|---|---|
| Vulnerability Class | Server-Side Request Forgery (SSRF) & Local File Inclusion (LFI) |
| Affected Component | RZ\Roadiz\Documents\DownloadedFile::fromUrl() |
| Prerequisites | Authenticated user with ROLE_ACCESS_DOCUMENTS |
The Roadiz backend features tools for importing external media, such as compiling cover art from Podcast RSS Feeds or OEmbed providers. This feature is handled by various MediaFinders, which ultimately pass the extracted media URLs to the DownloadedFile::fromUrl(string $url) parsing mechanism.
Inside fromUrl(), the application uses PHP's native fopen() function to fetch the remote resource and copy it into the local temporary directory before injecting it into the Flysystem Documents storage.
The $url parameter is passed to fopen without any schema validation or sanitization. In PHP, when stream wrappers are enabled, functions like fopen do not restrict operations to HTTP streams. If a file:// scheme is supplied, PHP seamlessly converts the operation into a local file system read. Because an attacker tightly controls the XML feed (e.g., from a Podcast integration), they can inject a file:// URI, forcing the CMS to "download" internal system files directly into the publicly accessible Media Library.
To reliably reproduce this vulnerability without requiring a live external URL, the attacker simply mimics the behavior of the Podcast importer manipulating the internal system.
The attacker creates a standard Podcast RSS XML feed (podcast.xml) and hosts it externally (or on an internal network reachable by the CMS). Inside this XML, the href attribute for the podcast thumbnail is weaponized to target a sensitive system file:
<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd">
<channel>
<title>Roadiz LFI Exploit</title>
<!-- Payload triggers the local filesystem fetch via PHP streams -->
<itunes:image href="file:///app/.env" />
</channel>
</rss>
podcast.xml file.AbstractPodcastFinder processes the XML and feeds file:///app/.env directly into DownloadedFile::fromUrl()..env file, creating a new "Document" arrayed with the contents of the file.APP_SECRET.Exploitation of this vulnerability results in a total loss of Confidentiality for the web application and underlying operating system.
.env, security.yaml, or database .sqlite files, leading to complete horizontal and vertical privilege escalation./etc/passwd, enumerating system users in preparation for lateral movement.http://169.254.169.254/latest/meta-data/), allowing the attacker to steal Root IAM roles globally compromising the victim's infrastructure.| Score | Percentile |
|---|---|
| 0.03% | 8.64% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-rc55-58f4-687g ↗ |
| CVE | CVE-2026-33486 ↗ |
| CWE id | Name |
|---|---|
| CWE-918 | Server-Side Request Forgery (SSRF) |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| composer | roadiz/documents | >= 2.7.0, < 2.7.9 | 2.7.9 | — |
| composer | roadiz/documents | >= 2.6.0, < 2.6.28 | 2.6.28 | — |
| composer | roadiz/documents | >= 2.4.0, < 2.5.44 | 2.5.44 | — |
| composer | roadiz/documents | < 2.3.42 | 2.3.42 | — |