CVE-2026-34832
Received Received - Intake
Authorization Bypass in Scoold Feedback Deletion Allows Unauthorized Removal

Publication date: 2026-04-02

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34832
EUVD
EUVD-2026-18529
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
erudika scoold to 1.66.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34832 is an authorization bypass vulnerability in the Scoold Q&A platform affecting feedback deletion functionality prior to version 1.66.1.

The flaw allows any logged-in user with low privileges to delete feedback posts created by other users by submitting the feedback post's ID to the POST /feedback/{id}/delete endpoint.

While the system verifies that the user is authenticated, it does not check whether the user owns the feedback or has moderator/admin rights before allowing deletion.

This means unauthorized users can delete other users' feedback posts, compromising data integrity.

The issue was patched in version 1.66.1 by adding ownership and permission checks before allowing deletion.

Impact Analysis

This vulnerability allows any authenticated user with low privileges to delete feedback posts created by other users without proper authorization.

The impact is a high integrity loss because unauthorized deletion of user-generated content can occur.

Such unauthorized deletions can disrupt collaboration, cause loss of valuable feedback, and damage trust in the platform.

Since the attack complexity is low and no user interaction is required, exploitation is relatively easy for any logged-in user.

Compliance Impact

The vulnerability allows any authenticated, low-privilege user to delete feedback posts created by other users without proper authorization checks. This unauthorized deletion compromises data integrity by allowing destructive actions on user-generated content.

Such unauthorized data manipulation could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and proper access controls to prevent unauthorized modification or deletion of user data.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Detection Guidance

This vulnerability can be detected by attempting to delete feedback posts belonging to other users using the POST endpoint `/feedback/{id}/delete` while authenticated as a low-privilege user.

A practical detection method is to use an HTTP client or command-line tool like curl to send a POST request to the vulnerable endpoint with the ID of a feedback post that does not belong to the authenticated user.

  • Example curl command to test deletion of another user's feedback post:
  • curl -X POST -b cookies.txt https://your-scoold-instance/feedback/{id}/delete

Here, `cookies.txt` contains the authentication cookies of a low-privilege user, and `{id}` is replaced with the target feedback post ID. If the feedback post is deleted successfully without proper authorization, the system is vulnerable.

Mitigation Strategies

The immediate mitigation step is to upgrade the Scoold application to version 1.66.1 or later, where this vulnerability has been patched.

The patch includes proper ownership and permission checks before allowing deletion of feedback posts, ensuring only authorized users (owners, teachers, or moderators) can delete feedback.

If upgrading immediately is not possible, restrict access to the feedback deletion endpoint to trusted users only, or disable the feedback deletion functionality temporarily.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34832. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart