CVE-2026-24900 – MarkUs versions before 2.9.1 contain an authori... (How to Fix)

Q: What is the severity of CVE-2026-24900?

CVE-2026-24900 has a CVSS score of 6.5 (MEDIUM). MarkUs versions before 2.9.1 contain an authorization bypass vulnerability where users can access arbitrary student submission files by manipulating the select_file_id parameter. This allows unauthorized viewing of other students' submitted work. All users of affected MarkUs instances are potentially impacted.

📋 TL;DR

MarkUs versions before 2.9.1 contain an authorization bypass vulnerability where users can access arbitrary student submission files by manipulating the select_file_id parameter. This allows unauthorized viewing of other students' submitted work. All users of affected MarkUs instances are potentially impacted.

💻 Affected Systems

Products:

MarkUs

Versions: All versions prior to 2.9.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all deployments using the vulnerable endpoint for serving submission file content.

📦 What is this software?

Markus by Markusproject

View all CVEs affecting Markus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious users could systematically download all student submissions, compromising academic integrity and exposing sensitive student work across courses.

🟠

Likely Case

Students accessing other students' submissions to copy work or gain unfair advantages on assignments.

🟢

If Mitigated

Limited exposure if proper access controls and monitoring are in place, but still violates privacy expectations.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial - simply modifying the select_file_id parameter in requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.9.1

Vendor Advisory: https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88

Restart Required: Yes

Instructions:

1. Backup your current MarkUs installation and database. 2. Update to MarkUs version 2.9.1 or later. 3. Restart the MarkUs application server. 4. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Temporarily disable or restrict access to the /courses/*/assignments/*/submissions/html_content endpoint

# Configure web server (e.g., nginx/apache) to block or restrict the endpoint
# Example nginx: location ~* /courses/.*/assignments/.*/submissions/html_content { deny all; }

🧯 If You Can't Patch

Implement strict access controls and monitoring for the vulnerable endpoint
Deploy a web application firewall (WAF) with rules to detect parameter manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Test if authenticated users can access submission files belonging to other users by modifying the select_file_id parameter in requests to the vulnerable endpoint.

Check Version:

Check the MarkUs version in the application interface or configuration files, or run: grep -r 'MARKUS_VERSION' /path/to/markus/installation/

Verify Fix Applied:

After updating to 2.9.1, verify that attempts to access other users' submission files via parameter manipulation are properly rejected with authorization errors.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authorization attempts on submission endpoints
Unusual access patterns to submission files from single users
Requests with manipulated select_file_id parameters

Network Indicators:

HTTP requests to /courses/*/assignments/*/submissions/html_content with unusual select_file_id values
Rapid sequential requests to submission endpoints

SIEM Query:

source="web_server_logs" AND uri_path="/courses/*/assignments/*/submissions/html_content" AND (status_code=200 OR status_code=403) | stats count by src_ip, uri_path

📊 Metadata

CVE ID: CVE-2026-24900

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-639

EPSS Score: 0.03% exploit probability (6.9th percentile)

Published: February 9, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/MarkUsProject/Markus/commit/7daed9fd2d44932223798d997b55094a3bff104b Patch
https://github.com/MarkUsProject/Markus/releases/tag/v2.9.1 Product,Release Notes
https://github.com/MarkUsProject/Markus/security/advisories/GHSA-56gh-8hmq-7q88 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24900, you might also want to check these: