Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
Security Advisory - My Page Profile Update (Improper Authorization)
Summary
An improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information.
Affected Versions
- 1.x series: <= 1.41.0
- 2.x series: <= 2.41.0
Patched Versions
- 1.41.1
- 2.41.1
Description
In part of the My Page profile update feature, another user's profile information or password could be modified. If exploited, arbitrary user accounts may be taken over. Exploitation requires that the attacker be able to reach the affected functionality as an authenticated user. Users affected by this vulnerability should update to a fixed version.
Solution
Update to the fixed version. For the 1.x series, update to 1.41.1 or later. For the 2.x series, update to 2.41.1 or later.
Credits
OpenSource WorkShops thanks Sho Odagiri (小田切 祥) of GMO Cybersecurity by Ierae, Inc. for reporting this vulnerability.
AnalysisAI
Improper authorization in the My Page profile update feature allows authenticated attackers to modify arbitrary user profiles and passwords, potentially leading to account takeover. Affected versions include 1.x through 1.41.0 and 2.x through 2.41.0; patches are available in versions 1.41.1 and 2.41.1. Exploitation requires valid authentication but no additional privileges or user interaction.
Technical ContextAI
Connect CMS is a PHP-based content management system distributed via Composer (pkg:composer/opensource-workshop_connect-cms). The vulnerability stems from CWE-285 (Improper Authorization), indicating that the profile update functionality in the My Page feature fails to properly validate whether the authenticated user has permission to modify the target user profile. This authorization bypass occurs during the profile update process, where the application does not adequately verify that the user initiating the update request is authorized to modify the specific user account being updated. The flaw allows an attacker to manipulate request parameters to target other users' profiles or passwords instead of their own.
RemediationAI
Immediately upgrade Connect CMS to version 1.41.1 or later for the 1.x series, or version 2.41.1 or later for the 2.x series. The patch commit is available at https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce and release notes at https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1. No workarounds are mentioned in the advisory, making immediate patching the only effective remediation. Organizations unable to patch immediately should consider temporarily disabling the My Page profile update functionality or implementing additional authentication controls and audit logging to detect unauthorized profile modification attempts. Conduct a security review of user accounts to identify any unauthorized modifications that may have occurred prior to patching.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14576
GHSA-qr6x-wvxr-8hm9