MarkUsProject's Markus is a web-based platform used primarily by educational institutions for managing student assignment submissions and grading. The vulnerability identified as CVE-2026-24900 is an authorization bypass caused by improper scoping of the select_file_id parameter in the endpoint courses/<:course_id>/assignments/<:assignment_id>/submissions/html_content. Prior to version 2.9.1, this parameter allowed authenticated users to request SubmissionFile objects by ID without verifying that the file belonged to the requesting user. This flaw violates the principle of least privilege, enabling users to access arbitrary submission files from other students or courses. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), indicating that the key controlling access was user-controllable and insufficiently validated. The CVSS v3.1 base score is 6.5, reflecting network exploitability (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N/A:N). No known exploits are reported in the wild as of the publication date. The fix involves proper scoping and authorization checks to ensure that select_file_id references only files accessible to the authenticated user. This vulnerability primarily threatens confidentiality by exposing sensitive student data, potentially violating privacy regulations and institutional policies.

For European organizations, particularly universities and educational institutions using Markus versions prior to 2.9.1, this vulnerability poses a significant risk to the confidentiality of student data. Unauthorized access to submission files could lead to exposure of sensitive academic work, personal information, and potentially intellectual property. Such data breaches may result in reputational damage, loss of trust, and regulatory penalties under GDPR due to improper handling of personal data. Although the vulnerability does not affect data integrity or system availability, the confidentiality breach alone is critical in the academic context. The ease of exploitation (network accessible, low complexity) combined with the requirement for authenticated access means insider threats or compromised accounts could leverage this flaw. European institutions with large student populations and extensive use of Markus are at higher risk, especially if patching is delayed. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the public disclosure.

1. Immediate upgrade of all Markus instances to version 2.9.1 or later, where the vulnerability is fixed. 2. Conduct an access control audit to verify that submission file access is correctly scoped to authenticated users. 3. Implement enhanced logging and monitoring of file access requests, focusing on unusual patterns such as access to files outside a user's courses or assignments. 4. Enforce strong authentication mechanisms and consider multi-factor authentication to reduce risk of account compromise. 5. Educate users and administrators about the risks of unauthorized data access and encourage prompt reporting of suspicious activity. 6. Review and update privacy policies and data handling procedures to ensure compliance with GDPR and other relevant regulations. 7. If immediate patching is not feasible, consider temporary network segmentation or access restrictions to limit exposure of the vulnerable endpoints. 8. Regularly check for updates and advisories from MarkUsProject and related security communities.