CRITICAL 9.1
PYSEC-2026-2076
Access control vulnerable to user data deletion by anonynmous users
Details
### Impact Anonymous users can delete the user data maintained by an `AccessControl.userfolder.UserFolder` which may prevent any privileged access.
### Patches The problem is fixed in version 7.2.
### Workarounds The problem can be fixed by adding `data__roles__ = ()` to `AccessControl.userfolder.UserFolder`.
### References https://github.com/zopefoundation/AccessControl/issues/159
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/zopefoundation/AccessControl/security/advisories/GHSA-g5vw-3h65-2q3v [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-51734 [ADVISORY]
- https://github.com/zopefoundation/AccessControl/issues/159 [WEB]
- https://github.com/zopefoundation/AccessControl [PACKAGE]
- https://pypi.org/project/zope [PACKAGE]
- https://github.com/advisories/GHSA-g5vw-3h65-2q3v [ADVISORY]