PatchSiren cyber security CVE debrief

CVE-2016-10026 Ikiwiki CVE debrief

CVE-2016-10026 is a high-severity ikiwiki authorization flaw affecting version 3.20161219 on sites that use the git and recentchanges plugins with the CGI interface enabled. According to the CVE description, the application does not properly check whether a revision changes a page’s access permissions, which can let a remote attacker revert certain changes by taking advantage of permissions that applied before the revision was made.

Vendor: Ikiwiki
Product: CVE-2016-10026
CVSS: HIGH 7.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-13
Original CVE updated: 2026-05-13
Advisory published: 2017-02-13
Advisory updated: 2026-05-13

Who should care

Administrators and maintainers of ikiwiki deployments, especially those running version 3.20161219 with the git and recentchanges plugins enabled through the CGI interface. Teams responsible for wiki access control, page history, and change-management workflows should also review their exposure.

Technical summary

NVD classifies this issue as CVSS 3.0 7.5 HIGH (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) and maps it to CWE-284. The core problem is an authorization check failure: ikiwiki does not correctly determine whether a revision alters a page’s access permissions, allowing a remote attacker to revert specific changes when earlier permissions would have permitted that action. The NVD affected CPE is ikiwiki 3.20161219.

Defensive priority

High. The issue is network-exploitable, requires no privileges or user interaction, and can impact integrity of page content and revision history.

Recommended defensive actions

Confirm whether any ikiwiki instance is running version 3.20161219 and whether the git and recentchanges plugins are used with CGI.
Apply the vendor guidance and any available distribution security update or patch referenced in the linked advisories.
Review page permission and revision workflows for cases where access rules change over time, and validate that revert actions are authorized under the correct revision context.
Audit recent change and revert activity for unexpected rollbacks on affected sites.
Use the linked vendor and Debian advisories as the primary remediation references for deployment-specific instructions.

Evidence notes

This debrief is based only on the supplied CVE description, the NVD record, and the linked vendor/Debian/mailing-list references. The facts used here are limited to the affected version (ikiwiki 3.20161219), the required deployment conditions (git and recentchanges plugins with CGI enabled), the authorization-check weakness, the remote integrity impact, and the published CVSS/CWE data from NVD.

Official resources

CVE-2016-10026 CVE record
CVE.org
CVE-2016-10026 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Vendor Advisory

Publicly disclosed and published on 2017-02-13T18:59:00.363Z; modified in the CVE/NVD record on 2026-05-13T00:24:29.033Z.