CVE-2026-34832
Authorization Bypass in Scoold Feedback Deletion Allows Unauthorized Removal
Publication date: 2026-04-02
Last updated on: 2026-04-15
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| erudika | scoold | to 1.66.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34832 is an authorization bypass vulnerability in the Scoold Q&A platform affecting feedback deletion functionality prior to version 1.66.1.
The flaw allows any logged-in user with low privileges to delete feedback posts created by other users by submitting the feedback post's ID to the POST /feedback/{id}/delete endpoint.
While the system verifies that the user is authenticated, it does not check whether the user owns the feedback or has moderator/admin rights before allowing deletion.
This means unauthorized users can delete other users' feedback posts, compromising data integrity.
The issue was patched in version 1.66.1 by adding ownership and permission checks before allowing deletion.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user with low privileges to delete feedback posts created by other users without proper authorization.
The impact is a high integrity loss because unauthorized deletion of user-generated content can occur.
Such unauthorized deletions can disrupt collaboration, cause loss of valuable feedback, and damage trust in the platform.
Since the attack complexity is low and no user interaction is required, exploitation is relatively easy for any logged-in user.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to delete feedback posts belonging to other users using the POST endpoint `/feedback/{id}/delete` while authenticated as a low-privilege user.
A practical detection method is to use an HTTP client or command-line tool like curl to send a POST request to the vulnerable endpoint with the ID of a feedback post that does not belong to the authenticated user.
- Example curl command to test deletion of another user's feedback post:
- curl -X POST -b cookies.txt https://your-scoold-instance/feedback/{id}/delete
Here, `cookies.txt` contains the authentication cookies of a low-privilege user, and `{id}` is replaced with the target feedback post ID. If the feedback post is deleted successfully without proper authorization, the system is vulnerable.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated, low-privilege user to delete feedback posts created by other users without proper authorization checks. This unauthorized deletion compromises data integrity by allowing destructive actions on user-generated content.
Such unauthorized data manipulation could potentially impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and proper access controls to prevent unauthorized modification or deletion of user data.
However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Scoold application to version 1.66.1 or later, where this vulnerability has been patched.
The patch includes proper ownership and permission checks before allowing deletion of feedback posts, ensuring only authorized users (owners, teachers, or moderators) can delete feedback.
If upgrading immediately is not possible, restrict access to the feedback deletion endpoint to trusted users only, or disable the feedback deletion functionality temporarily.