Skip to main content

CVE-2026-32300

| EUVDEUVD-2026-14576 HIGH
Improper Authorization (CWE-285)
2026-03-23 https://github.com/opensource-workshop/connect-cms GHSA-qr6x-wvxr-8hm9
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 23, 2026 - 20:45 euvd
EUVD-2026-14576
Analysis Generated
Mar 23, 2026 - 20:45 vuln.today
Patch released
Mar 23, 2026 - 20:45 nvd
Patch available
CVE Published
Mar 23, 2026 - 20:39 nvd
HIGH 8.1

DescriptionGitHub Advisory

Security Advisory - My Page Profile Update (Improper Authorization)

Summary

An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information.

Affected Versions

  • 1.x series: <= 1.41.0
  • 2.x series: <= 2.41.0

Patched Versions

  • 1.41.1
  • 2.41.1

Description

In part of the My Page profile update feature, another user's profile information or password could be modified. If exploited, arbitrary user accounts may be taken over. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version.

Solution

Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.

Credits

OpenSource WorkShops thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.

AnalysisAI

Improper authorization in the My Page profile update feature allows authenticated attackers to modify arbitrary user profiles and passwords, potentially leading to account takeover. Affected versions include 1.x through 1.41.0 and 2.x through 2.41.0; patches are available in versions 1.41.1 and 2.41.1. Exploitation requires valid authentication but no additional privileges or user interaction.

Technical ContextAI

Connect CMS is a PHP-based content management system distributed via Composer (pkg:composer/opensource-workshop_connect-cms). The vulnerability stems from CWE-285 (Improper Authorization), indicating that the profile update functionality in the My Page feature fails to properly validate whether the authenticated user has permission to modify the target user profile. This authorization bypass occurs during the profile update process, where the application does not adequately verify that the user initiating the update request is authorized to modify the specific user account being updated. The flaw allows an attacker to manipulate request parameters to target other users' profiles or passwords instead of their own.

RemediationAI

Immediately upgrade Connect CMS to version 1.41.1 or later for the 1.x series, or version 2.41.1 or later for the 2.x series. The patch commit is available at https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce and release notes at https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1. No workarounds are mentioned in the advisory, making immediate patching the only effective remediation. Organizations unable to patch immediately should consider temporarily disabling the My Page profile update functionality or implementing additional authentication controls and audit logging to detect unauthorized profile modification attempts. Conduct a security review of user accounts to identify any unauthorized modifications that may have occurred prior to patching.

Share

CVE-2026-32300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy