Skip to main content

CVE-2026-32299

| EUVDEUVD-2026-14574 HIGH
Improper Access Control (CWE-284)
2026-03-23 https://github.com/opensource-workshop/connect-cms
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 23, 2026 - 20:45 euvd
EUVD-2026-14574
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
CVE Published
Mar 23, 2026 - 20:38 nvd
HIGH 7.5

DescriptionGitHub Advisory

Security Advisory - Page Content Retrieval (Improper Authorization)

Summary

An improper authorization issue in the page content retrieval feature may allow retrieval of non-public information.

Affected Versions

  • 1.x series: <= 1.41.0
  • 2.x series: <= 2.41.0

Patched Versions

  • 1.41.1
  • 2.41.1

Description

In part of the page content retrieval feature, insufficient authorization checks could allow processing associated with non-public pages to be executed. If exploited, the contents and attachments of non-public pages may be obtained by a third party. Users affected by this vulnerability should update to a fixed version.

Solution

Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.

Credits

OpenSource WorkShop thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.

AnalysisAI

Insufficient authorization checks in the page content retrieval feature (versions 1.x <= 1.41.0 and 2.x <= 2.41.1) allow unauthenticated attackers to access non-public page contents and attachments. An attacker can retrieve sensitive information from restricted pages without proper credentials. Users must upgrade to version 1.41.1 or 2.41.1 to remediate this vulnerability.

Technical ContextAI

Connect CMS is a PHP-based content management system distributed as a Composer package (opensource-workshop/connect-cms). The vulnerability stems from CWE-284 (Improper Access Control), where the page content retrieval functionality fails to properly validate user authorization before processing requests related to non-public pages. This authorization bypass occurs specifically in the page content retrieval feature's processing logic, allowing unauthorized actors to trigger operations that should be restricted to authenticated users with appropriate permissions. The flaw represents a classic broken access control issue where security checks are either missing or improperly implemented in the content access layer.

RemediationAI

Update Connect CMS immediately to version 1.41.1 or later for the 1.x series, or to version 2.41.1 or later for the 2.x series as documented in the official security advisory at https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-62ch-j6x7-722j. The patches implement proper authorization checks in the page content retrieval feature to prevent unauthorized access to non-public content. As an interim mitigation until patching is completed, consider restricting network access to the CMS administrative and content retrieval interfaces to trusted IP ranges via firewall rules or web application firewall policies, and audit access logs for any suspicious attempts to retrieve non-public page content. Review existing page permissions and access controls to ensure non-public content is properly classified.

Share

CVE-2026-32299 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy