Skip to main content

Scoold CVE-2026-39354

| EUVDEUVD-2026-19863 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-07 security-advisories@github.com
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.66.2
EUVD ID Assigned
Apr 07, 2026 - 19:22 euvd
EUVD-2026-19863
Analysis Generated
Apr 07, 2026 - 19:22 vuln.today
CVE Published
Apr 07, 2026 - 19:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to 1.66.2, an authenticated authorization flaw in Scoold allows any logged-in, low-privilege user to overwrite another user's existing question by supplying that question's public ID as the postId parameter to POST /questions/ask. Because question IDs are exposed in normal question URLs, a low-privilege attacker can take a victim question ID from a public page and cause attacker-controlled content to be stored under that existing question object. This causes direct integrity loss of user-generated content and corrupts the integrity of the existing discussion thread. This vulnerability is fixed in 1.66.2.

AnalysisAI

Scoold versions prior to 1.66.2 allow authenticated low-privilege users to overwrite arbitrary existing questions by submitting a POST request to /questions/ask with another user's question ID as the postId parameter. Since question IDs are publicly visible in URLs, attackers can identify target questions and replace their content with malicious text, corrupting discussion threads and destroying legitimate user-generated content. The vulnerability requires only basic user authentication and network access, making it trivially exploitable by any logged-in account.

Technical ContextAI

Scoold is a Node.js-based Q&A and knowledge-sharing platform built on Erudika. The vulnerability stems from insufficient authorization checks in the question creation endpoint (POST /questions/ask), which fails to validate whether the authenticated user owns or has permission to modify the question object being targeted. The flaw leverages CWE-639 (Authorization Bypass Through User-Controlled Key), where the application trusts user-supplied postId parameters without verifying ownership. Question IDs are embedded in publicly accessible URLs (e.g., /question/{postId}), allowing reconnaissance of targets. The authorization framework does not cross-reference the authenticated user's identity against question ownership metadata before allowing write operations.

RemediationAI

Upgrade Scoold to version 1.66.2 or later, which implements proper ownership validation in the POST /questions/ask endpoint. The patched version verifies that the authenticated user either owns the question or holds sufficient administrative privileges before allowing updates via the postId parameter. No workarounds are available for versions prior to 1.66.2; patching is the only mitigation. Administrators should prioritize this upgrade and audit question modification logs to detect potential unauthorized overwrites prior to the patch date.

Share

CVE-2026-39354 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy