CVE-2026-24900 MEDIUM

CVE-2026-24900: MarkUs has a submission-view IDOR exposes all student submissions

Vendor Markusproject
Product Markus
Weakness CWE-639 · IDOR
Published February 9, 2026
Last update February 10, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

MarkUs is a web application for the submission and grading of student assignments. Prior to 2.9.1, the courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content accepted a select_file_id parameter to serve SubmissionFile objects containing a record of files submitted by students. This parameter was not correctly scoped to the requesting user, allowing users access arbitrary submission file contents by id. This vulnerability is fixed in 2.9.1.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 10, 2026 Record updated