Skip to main content

Scoold CVE-2026-34832

| EUVDEUVD-2026-18529 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-02 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.66.1
EUVD ID Assigned
Apr 02, 2026 - 19:31 euvd
EUVD-2026-18529
Analysis Generated
Apr 02, 2026 - 19:31 vuln.today
CVE Published
Apr 02, 2026 - 19:08 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.

AnalysisAI

Scoold versions prior to 1.66.1 allow authenticated low-privilege users to delete any other user's feedback posts via an authorization flaw in the POST /feedback/{id}/delete endpoint. The vulnerability requires login but lacks object ownership verification, enabling lateral privilege escalation where any team member can destroy feedback created by colleagues or administrators. No public exploit code or active exploitation has been identified; the issue was discovered during code review and patched in version 1.66.1.

Technical ContextAI

Scoold is a Java-based Q&A and knowledge-sharing platform built on the Erudika framework. The vulnerability exists in the feedback deletion handler, which properly enforces authentication (requiring PR:L privilege level per CVSS vector) but fails to implement authorization checks for resource ownership. The flaw is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a common pattern in REST APIs where user IDs or resource IDs are trusted without validating that the requesting user owns or has permission to modify the target resource. The endpoint accepts POST requests with a feedback ID parameter and immediately processes deletion without comparing the authenticated user's identity against the feedback's creator or checking for moderator/admin status.

RemediationAI

Vendor-released patch: Upgrade Scoold to version 1.66.1 or later. The fix is available directly from the GitHub releases page (https://github.com/Erudika/scoold/releases/tag/1.66.1) and the security advisory (https://github.com/Erudika/scoold/security/advisories/GHSA-g5fv-xw88-vw44). The upstream commit 5def88c25405cc60482292bcceb45dc024e899fe implements authorization checks to verify object ownership before allowing deletion. If immediate upgrade is not feasible, restrict feedback deletion capabilities to administrators only through role-based access control settings, or temporarily disable feedback deletion for non-admin users by adjusting application permissions until patched.

Share

CVE-2026-34832 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy