API CVE-2026-34372
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Impact
A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.
Patches
The issue was patched in release 2.6.22 and 3.0.5.
Workarounds
Create a Symfony Request Listener checking the permissions for the specific roles.
Resources
Github Advisory: https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
AnalysisAI
Information disclosure in Sulu admin API allows users with any Sulu Admin role to access contact sub-entities without explicit contact permissions, bypassing authorization controls. Affects Sulu versions prior to 2.6.22 and 3.0.x prior to 3.0.5. No CVSS or EPSS data available; no active exploitation confirmed, but the vulnerability enables unauthorized data exposure through a widely-accessible admin interface.
Technical ContextAI
Sulu is a PHP-based content management and headless CMS platform (CPE: pkg:composer/sulu_sulu). The vulnerability exists in the Sulu Admin API's authorization logic for contact sub-entities. The root cause is classified as CWE-288 (Authentication Using an Incorrect Unified Protocol), indicating a flaw in how the API validates user permissions when accessing related contact data. Users granted any Sulu Admin role receive implicit access to contact hierarchies regardless of their explicit contact management permissions, suggesting the API inherits parent-role permissions without proper scope validation.
RemediationAI
Vendor-released patches: upgrade to Sulu 2.6.22 (for 2.6.x branch) or 3.0.5 (for 3.0.x branch). Both versions contain authorization logic fixes that restrict API access to contact sub-entities only for users with explicit contact permissions. As an interim workaround pending patching, implement a Symfony Request Listener that validates user permissions for the specific roles accessing the admin API, explicitly checking contact authorization before allowing sub-entity queries. This requires custom code and should be considered a temporary measure only. Consult the GitHub advisory at https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp for detailed guidance.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-6h7h-m7p5-hjqp