CVE-2026-34372
Unauthorized Access in Sulu Admin API via Improper Permissions
Publication date: 2026-03-31
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sulu | sulu | From 1.0.0 (inc) to 2.6.22 (exc) |
| sulu | sulu | From 3.0.0 (inc) to 3.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Sulu content management system, specifically versions from 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5. It allows a user who has permission to access the Sulu Admin interface through at least one role to access sub-entities of contacts via the admin API, even if they do not have explicit permission to access contacts themselves.
Essentially, the access control mechanism is flawed, permitting unauthorized access to contact-related data through the admin API.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade your Sulu CMS to version 2.6.22 or later if you are using the 2.x branch, or to version 3.0.5 or later if you are using the 3.x branch. These versions contain the patch that fixes the unauthorized access issue.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of contact information because users with limited admin permissions can access contact sub-entities without proper authorization.
Such unauthorized access could result in data leakage, privacy violations, and potential misuse of sensitive contact data.