CVE-2026-34372
Received Received - Intake
Unauthorized Access in Sulu Admin API via Improper Permissions

Publication date: 2026-03-31

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34372
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
sulu sulu From 1.0.0 (inc) to 2.6.22 (exc)
sulu sulu From 3.0.0 (inc) to 3.0.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

To mitigate this vulnerability, you should upgrade your Sulu CMS to version 2.6.22 or later if you are using the 2.x branch, or to version 3.0.5 or later if you are using the 3.x branch. These versions contain the patch that fixes the unauthorized access issue.

Executive Summary

This vulnerability affects the Sulu content management system, specifically versions from 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5. It allows a user who has permission to access the Sulu Admin interface through at least one role to access sub-entities of contacts via the admin API, even if they do not have explicit permission to access contacts themselves.

Essentially, the access control mechanism is flawed, permitting unauthorized access to contact-related data through the admin API.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of contact information because users with limited admin permissions can access contact sub-entities without proper authorization.

Such unauthorized access could result in data leakage, privacy violations, and potential misuse of sensitive contact data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34372. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart