CVE-2026-22249 – Docmost versions 0.21.0 through 0.23.x contain ... (How to Fix)

Q: What is the severity of CVE-2026-22249?

CVE-2026-22249 has a CVSS score of 7.1 (HIGH). Docmost versions 0.21.0 through 0.23.x contain a ZipSlip vulnerability in the zip import feature that allows attackers to write arbitrary files to any location on the server filesystem. This occurs because the software doesn't validate filenames extracted from zip archives. All Docmost instances using vulnerable versions are affected.

📋 TL;DR

Docmost versions 0.21.0 through 0.23.x contain a ZipSlip vulnerability in the zip import feature that allows attackers to write arbitrary files to any location on the server filesystem. This occurs because the software doesn't validate filenames extracted from zip archives. All Docmost instances using vulnerable versions are affected.

💻 Affected Systems

Products:

Docmost

Versions: 0.21.0 to 0.23.x

Operating Systems: All platforms running Docmost

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with zip import functionality enabled are vulnerable. The feature is part of core functionality.

📦 What is this software?

Docmost by Docmost

View all CVEs affecting Docmost →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise via arbitrary file write leading to remote code execution, data destruction, or system takeover.

🟠

Likely Case

Unauthorized file writes to sensitive locations, potentially overwriting configuration files or planting backdoors.

🟢

If Mitigated

Limited impact if proper file system permissions restrict write access to critical directories.

🌐 Internet-Facing: HIGH - The import feature is typically exposed to users, making exploitation straightforward.

🏢 Internal Only: MEDIUM - Internal users could still exploit this, but attack surface is reduced compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

ZipSlip is a well-known vulnerability pattern with existing exploit techniques. Exploitation requires access to the import feature, which typically requires authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.24.0

Vendor Advisory: https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg

Restart Required: Yes

Instructions:

1. Backup your Docmost data and configuration. 2. Update to version 0.24.0 or later using your package manager or by downloading from GitHub releases. 3. Restart the Docmost service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Zip Import Feature

all

Temporarily disable the vulnerable zip import functionality until patching is possible.

Check Docmost configuration for import settings and disable zip imports

Restrict File System Permissions

linux

Limit the Docmost process to write only to necessary directories using OS-level permissions.

chmod and chown commands to restrict write access to sensitive directories

🧯 If You Can't Patch

Disable the zip import feature entirely in application configuration.
Implement network-level controls to restrict access to the import functionality to trusted users only.

🔍 How to Verify

Check if Vulnerable:

Check your Docmost version. If it's between 0.21.0 and 0.23.x, you are vulnerable.

Check Version:

Check the Docmost admin panel or run: node -e "console.log(require('./package.json').version)" in the Docmost directory

Verify Fix Applied:

After updating to 0.24.0 or later, verify the version and test that zip imports still work with safe files.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in system logs
Zip import operations with suspicious filenames containing '../' patterns
Errors from Docmost when processing malformed zip files

Network Indicators:

Multiple import requests from single users in short timeframes
Unusual payload sizes in import requests

SIEM Query:

source="docmost.logs" AND (message="import" OR message="zip") AND (message=".." OR message="../")

📊 Metadata

CVE ID: CVE-2026-22249

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE: CWE-22

EPSS Score: 0.05% exploit probability (16.9th percentile)

Published: January 15, 2026

Last Updated: January 22, 2026

🔗 References

https://github.com/docmost/docmost/commit/c3b350d943108552e20654580005cd6f6c78ab05 Patch
https://github.com/docmost/docmost/pull/1753 Issue Tracking
https://github.com/docmost/docmost/releases/tag/v0.24.0 Release Notes
https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg Exploit,Vendor Advisory
https://github.com/docmost/docmost/security/advisories/GHSA-54pm-hqxm-54wg Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22249, you might also want to check these: