CIVI-SA-2026-26: Unauthorized access to Files via APIv3

Published
2026-06-15 20:08
Written by

With multiple entry-points in APIv3, there was an ability to move arbitrary files from the server filesystem.

Security Risk
Critical
Vulnerability
Access Bypass
Affected Versions

CiviCRM v6.15.2 and earlier

Fixed Versions

CiviCRM v6.15.3, v6.10.7 (ESR), and later

Publication Date
Solutions

Upgrade to a fixed version of CiviCRM

Credits

Tim Otten (CiviCRM), Coleman Watts (CiviCRM), Dave D