Executive Summary

CVE-2026-39354 is an authenticated authorization flaw in the Scoold Q&A platform that allows any logged-in, low-privilege user to overwrite another user's existing question.

This happens because the application accepts a question's public ID (postId) as a parameter when posting a question, and it does not verify whether the ID belongs to the user or if it is already in use.

Since question IDs are publicly exposed in URLs, an attacker can obtain a victim's question ID and submit a request to overwrite that question with attacker-controlled content.

This results in the victim's question content and author being replaced, while existing replies and comments remain attached, causing corruption and defacement of discussion threads.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized users to overwrite other users' questions, leading to several impacts:

• Loss of integrity of user-generated content by replacing legitimate questions with attacker-controlled content.
• Corruption and defacement of existing discussion threads, misleading users who read or respond to the altered questions.
• Disruption of moderation and discussion workflows due to unexpected content changes.
• Potential reputational damage as users may see misleading or malicious content under legitimate question URLs.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring POST requests to the /questions/ask endpoint where the postId parameter is set to an existing question ID that belongs to another user.

Since question IDs are publicly exposed in URLs, an attacker can supply a victim's question ID in the postId parameter to overwrite that question.

To detect exploitation attempts, you can look for unusual POST requests with the postId parameter matching existing question IDs that are not owned by the authenticated user.

• Use network monitoring or web server logs to filter POST requests to /questions/ask containing the postId parameter.
• Example command to search logs for suspicious requests (assuming logs are in access.log):
• grep 'POST /questions/ask' access.log | grep 'postId='
• Further analysis should verify if the postId corresponds to a question owned by the authenticated user making the request.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Scoold to version 1.66.2 or later, where this authorization flaw has been fixed.

Until the upgrade is applied, restrict access to the /questions/ask endpoint to trusted users only, or implement additional authorization checks to ensure users can only modify their own questions.

Monitor logs for suspicious POST requests attempting to overwrite questions by supplying another user's question ID.

Consider temporarily disabling the ability for low-privilege users to submit questions or edits if possible.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthorized overwriting of another user's question content, causing direct integrity loss of user-generated data and corruption of discussion threads.

Such integrity loss and unauthorized modification of user data could potentially impact compliance with standards and regulations that require data integrity and protection against unauthorized access or modification, such as GDPR and HIPAA.

However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.

Useful 0 Not Useful 0