CVE-2026-41887

CVE-2026-41887 is a medium-severity path traversal vulnerability in flarum/core (composer), affecting versions <= 1.8.15. It is fixed in 1.8.16, 2.0.0-rc.1.

Summary

Flarum's patch for CVE-2023-27577 restricted the @import and data-uri() LESS features in the custom_less setting, but the same restriction was never applied to other settings registered as LESS config variables (for example theme_primary_color and theme_secondary_color, as well as any key registered via Extend\Settings::registerLessConfigVar()).

Those values are interpolated verbatim into the LESS source at compile time, allowing an authenticated administrator to craft a theme-color value that injects an arbitrary @import directive into the compiled forum.css. Because the underlying LESS parser honours @import (inline) '<path>', an attacker can read arbitrary files reachable by the PHP process (local file inclusion) or trigger outbound HTTP(S) requests (server-side request forgery).

Example payload

Submitted via POST /api/settings with an admin session:

{ "theme_primary_color": "#4D698E;@import (inline) '/etc/passwd';" }

The setting is stored verbatim, interpolated into the LESS source on the next CSS compile, and the target file's contents appear in /assets/forum.css.

Workarounds

If upgrading is not immediately possible:

  • Ensure administrator accounts are protected with strong, unique passwords and (where supported) two-factor authentication.
  • Restrict administrator access to trusted users only.
  • Review the forum's public forum.css for unexpected content that could indicate prior exploitation.

There is no configuration-level mitigation on affected versions, the fix requires the upgraded code.

Resources

Credit

Reported to the Flarum Foundation by William (Liam) Snow IV (@LiamSnow), discovered during a graduate-level network security lab at Worcester Polytechnic Institute.

Impact

An attacker who has compromised, or legitimately obtained, an administrator account can:

  • Read arbitrary local files reachable by the PHP process (e.g. /etc/passwd, .env, config files containing database credentials, OAuth secrets, API keys).
  • Trigger outbound HTTP/HTTPS requests from the Flarum host, enabling SSRF against internal services and cloud metadata endpoints such as http://169.254.169.254/ (AWS IMDSv1, GCP, Azure).

The contents of the attacker-controlled import are embedded into the compiled forum.css, which is publicly served, so the attacker can retrieve whatever was read simply by fetching the CSS file.

This is a privilege-escalation vulnerability: a forum administrator is not intended to have host-level file read or access to internal network resources.

Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.

CVE-2026-41887 has a CVSS score of 4.9 (Medium). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.8.16, 2.0.0-rc.1); upgrading removes the vulnerable code path.

Affected versions

flarum/core (<= 1.8.15) flarum/core (>= 2.0.0-beta.1, <= 2.0.0-beta.8)

Security releases

flarum/core → 1.8.16 (composer) flarum/core → 2.0.0-rc.1 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

  • flarum/core 1.8.16, fix for the 1.x branch.
  • flarum/core 2.0.0-rc.1, fix for the 2.x branch.

The fix extends the existing @import / data-uri() validation in Flarum\Forum\ValidateCustomLess::whenSettingsSaving to every dirty setting whose key is registered as a LESS config variable, not just custom_less.

Frequently Asked Questions

  1. What is CVE-2026-41887? CVE-2026-41887 is a medium-severity path traversal vulnerability in flarum/core (composer), affecting versions <= 1.8.15. It is fixed in 1.8.16, 2.0.0-rc.1. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
  2. How severe is CVE-2026-41887? CVE-2026-41887 has a CVSS score of 4.9 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of flarum/core are affected by CVE-2026-41887? flarum/core (composer) versions <= 1.8.15 is affected.
  4. Is there a fix for CVE-2026-41887? Yes. CVE-2026-41887 is fixed in 1.8.16, 2.0.0-rc.1. Upgrade to this version or later.
  5. Is CVE-2026-41887 exploitable, and should I be worried? Whether CVE-2026-41887 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-41887 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-41887?
    • Upgrade flarum/core to 1.8.16 or later
    • Upgrade flarum/core to 2.0.0-rc.1 or later

Other vulnerabilities in flarum/core

CVE-2025-27794CVE-2024-21641CVE-2023-40033CVE-2023-27577CVE-2023-22489

Stop the waste.
Protect your environment with Kodem.