NL Portal Backend Libraries: Document contents remained downloadable by any logged-in user (incomplete fix of CVE-2026-49463)
A previous advisory (CVE-2026-49463 / GHSA-qpm9-h556-mwxm) reported that any logged-in user could download any document by its identifier, and stated this was fixed in 3.0.1. For the document-content part that fix was incomplete: documents remained downloadable by any authenticated user in 3.0.1 and 3.0.2, and the issue was only fully resolved in 3.0.3.