CVE-2026-38587
Deferred Deferred - Pending Action
IDOR Vulnerability in ONLYOFFICE DocSpace Exposes Sensitive Data

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: MITRE

Description
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-38587
EUVD
EUVD-2026-31838
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
onlyoffice docspace to 3.2.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows authenticated users with low-level permissions to access sensitive information such as the Owner's unique identifier and profile information, which should be restricted to administrators.

This unauthorized access to sensitive user data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Exposing confidential user data through this Insecure Direct Object Reference (IDOR) vulnerability may violate principles of data minimization and access control mandated by these standards.

Executive Summary

CVE-2026-38587 is an Insecure Direct Object Reference (IDOR) vulnerability found in ONLYOFFICE DocSpace before version 3.2.1. It affects multiple REST API endpoints, allowing authenticated users with low-level permissions such as User or Guest to access sensitive information that should be restricted to administrators.

  • Users with restricted roles can retrieve the Owner's unique identifier (ID) via the GET /api/2.0/settings/security/administrator/:productid endpoint.
  • They can also access the Owner's profile information through the GET /api/2.0/portal/users/:userID endpoint.
  • Additionally, the PUT /api/2.0/people/:userid/contacts method had accessibility issues that could be exploited.

This flaw allows unauthorized users to view confidential user data and compromises the security of the DocSpace environment.

Impact Analysis

This vulnerability can impact you by allowing users with low-level permissions to access sensitive information that should be restricted to administrators. This exposure of confidential data, such as the Owner's unique identifier and profile information, can lead to privacy breaches and potential misuse of that information.

Such unauthorized access could compromise the security and integrity of your ONLYOFFICE DocSpace environment, potentially leading to further exploitation or data leaks.

Detection Guidance

This vulnerability can be detected by checking if users with low-level permissions (User or Guest) are able to access sensitive Owner information via specific REST API endpoints.

  • Attempt to access the Owner's unique identifier using the GET request to /api/2.0/settings/security/administrator/:productid.
  • Attempt to retrieve the Owner's profile information using the GET request to /api/2.0/portal/users/:userID.
  • Check if the PUT request to /api/2.0/people/:userid/contacts is accessible by low-permission users.

These commands can be executed using tools like curl or Postman while authenticated as a User or Guest to verify if unauthorized access is possible.

Mitigation Strategies

To mitigate this vulnerability, immediately update ONLYOFFICE DocSpace to version 3.2.1 or later, where the issue has been fixed to prevent unauthorized access to Owner-level information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart