Skip to main content

API CVE-2026-34372

MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-03-30 https://github.com/sulu/sulu GHSA-6h7h-m7p5-hjqp
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 30, 2026 - 18:15 vuln.today
CVE Published
Mar 30, 2026 - 18:04 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Impact

A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.

Patches

The issue was patched in release 2.6.22 and 3.0.5.

Workarounds

Create a Symfony Request Listener checking the permissions for the specific roles.

Resources

Github Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp

AnalysisAI

Information disclosure in Sulu admin API allows users with any Sulu Admin role to access contact sub-entities without explicit contact permissions, bypassing authorization controls. Affects Sulu versions prior to 2.6.22 and 3.0.x prior to 3.0.5. No CVSS or EPSS data available; no active exploitation confirmed, but the vulnerability enables unauthorized data exposure through a widely-accessible admin interface.

Technical ContextAI

Sulu is a PHP-based content management and headless CMS platform (CPE: pkg:composer/sulu_sulu). The vulnerability exists in the Sulu Admin API's authorization logic for contact sub-entities. The root cause is classified as CWE-288 (Authentication Using an Incorrect Unified Protocol), indicating a flaw in how the API validates user permissions when accessing related contact data. Users granted any Sulu Admin role receive implicit access to contact hierarchies regardless of their explicit contact management permissions, suggesting the API inherits parent-role permissions without proper scope validation.

RemediationAI

Vendor-released patches: upgrade to Sulu 2.6.22 (for 2.6.x branch) or 3.0.5 (for 3.0.x branch). Both versions contain authorization logic fixes that restrict API access to contact sub-entities only for users with explicit contact permissions. As an interim workaround pending patching, implement a Symfony Request Listener that validates user permissions for the specific roles accessing the admin API, explicitly checking contact authorization before allowing sub-entity queries. This requires custom code and should be considered a temporary measure only. Consult the GitHub advisory at https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp for detailed guidance.

Share

CVE-2026-34372 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy