Manyfold is an open-source, self-hosted web application designed for managing collections of 3D models, with a focus on 3D printing workflows. In versions prior to 0.133.1, the get_model method within the ModelFilesController loads 3D model data using Model.find_param(params[:model_id]) without applying Pundit's policy_scope authorization checks. This contrasts with other controllers, such as ModelsController, which correctly enforce authorization by using policy_scope(Model).find_param(). The absence of policy_scope in get_model leads to an authorization bypass vulnerability classified under CWE-639, where user-controlled input (model_id parameter) can be used to access models outside the user's permitted scope. This flaw allows an unauthenticated attacker to retrieve or potentially manipulate 3D model files without proper permissions, impacting the integrity of the data. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required, and no user interaction needed. The scope remains unchanged, and the impact affects integrity but not confidentiality or availability. The issue was addressed in manyfold version 0.133.1 by incorporating appropriate policy_scope authorization checks in the get_model method, ensuring that only authorized users can access specific models. There are no reports of active exploitation in the wild as of the publication date.

The primary impact of this vulnerability is unauthorized access and potential modification of 3D model files within the manyfold application. For organizations relying on manyfold to manage proprietary or sensitive 3D printing models, this could lead to intellectual property theft, unauthorized alterations, or sabotage of 3D assets. Since the vulnerability does not affect confidentiality or availability directly, the risk centers on data integrity and trustworthiness of model files. Attackers could exploit this flaw remotely without authentication, increasing the risk of widespread unauthorized access if the application is exposed to the internet. This could undermine manufacturing processes, product development, or any workflows dependent on accurate 3D models. Organizations with public-facing manyfold instances or those lacking strict network segmentation are particularly vulnerable. While no known exploits exist currently, the medium severity rating and ease of exploitation warrant prompt remediation to prevent potential future attacks.

To mitigate this vulnerability, organizations should upgrade manyfold to version 0.133.1 or later, where the authorization bypass is fixed by enforcing Pundit policy_scope checks in the get_model method. If immediate upgrading is not feasible, administrators should restrict network access to the manyfold application, limiting exposure to trusted internal networks only. Implementing web application firewalls (WAFs) with rules to detect and block suspicious requests targeting model retrieval endpoints can provide temporary protection. Additionally, auditing access logs for unusual or unauthorized model access attempts can help identify exploitation attempts. Developers maintaining forks or custom versions of manyfold should review their authorization logic to ensure consistent use of policy_scope across all model access points. Finally, organizations should incorporate regular security testing and code reviews focused on authorization controls to prevent similar issues.