Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Security Advisory - Page Content Retrieval (Improper Authorization)
Summary
An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information.
Affected Versions
- 1.x series: <= 1.41.0
- 2.x series: <= 2.41.0
Patched Versions
- 1.41.1
- 2.41.1
Description
In part of the page content retrieval feature, insufficient authorization checks could allow processing associated with non-public pages to be executed. If exploited, the contents and attachments of non-public pages may be obtained by a third party. Users affected by this vulnerability should update to a fixed version.
Solution
Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.
Credits
OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.
AnalysisAI
Insufficient authorization checks in the page content retrieval feature (versions 1.x <= 1.41.0 and 2.x <= 2.41.1) allow unauthenticated attackers to access non-public page contents and attachments. An attacker can retrieve sensitive information from restricted pages without proper credentials. Users must upgrade to version 1.41.1 or 2.41.1 to remediate this vulnerability.
Technical ContextAI
Connect CMS is a PHP-based content management system distributed as a Composer package (opensource-workshop/connect-cms). The vulnerability stems from CWE-284 (Improper Access Control), where the page content retrieval functionality fails to properly validate user authorization before processing requests related to non-public pages. This authorization bypass occurs specifically in the page content retrieval feature's processing logic, allowing unauthorized actors to trigger operations that should be restricted to authenticated users with appropriate permissions. The flaw represents a classic broken access control issue where security checks are either missing or improperly implemented in the content access layer.
RemediationAI
Update Connect CMS immediately to version 1.41.1 or later for the 1.x series, or to version 2.41.1 or later for the 2.x series as documented in the official security advisory at https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-62ch-j6x7-722j. The patches implement proper authorization checks in the page content retrieval feature to prevent unauthorized access to non-public content. As an interim mitigation until patching is completed, consider restricting network access to the CMS administrative and content retrieval interfaces to trusted IP ranges via firewall rules or web application firewall policies, and audit access logs for any suspicious attempts to retrieve non-public page content. Review existing page permissions and access controls to ensure non-public content is properly classified.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14574