{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34372", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:43:14.369Z", "datePublished": "2026-03-31T20:19:32.601Z", "dateUpdated": "2026-03-31T20:29:14.584Z"}, "containers": {"cna": {"title": "Sulu checks fix permissions for subentities endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-288", "lang": "en", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp"}, {"name": "https://github.com/sulu/sulu/releases/tag/2.6.22", "tags": ["x_refsource_MISC"], "url": "https://github.com/sulu/sulu/releases/tag/2.6.22"}, {"name": "https://github.com/sulu/sulu/releases/tag/3.0.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/sulu/sulu/releases/tag/3.0.5"}], "affected": [{"vendor": "sulu", "product": "sulu", "versions": [{"version": ">= 1.0.0, < 2.6.22", "status": "affected"}, {"version": ">= 3.0.0, < 3.0.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:19:32.601Z"}, "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5."}], "source": {"advisory": "GHSA-6h7h-m7p5-hjqp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T20:29:06.573205Z", "id": "CVE-2026-34372", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:29:14.584Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34372", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-31T20:29:06.573205Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T20:29:09.677Z"}}], "cna": {"title": "Sulu checks fix permissions for subentities endpoints", "source": {"advisory": "GHSA-6h7h-m7p5-hjqp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "sulu", "product": "sulu", "versions": [{"status": "affected", "version": ">= 1.0.0, < 2.6.22"}, {"status": "affected", "version": ">= 3.0.0, < 3.0.5"}]}], "references": [{"url": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp", "name": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/sulu/sulu/releases/tag/2.6.22", "name": "https://github.com/sulu/sulu/releases/tag/2.6.22", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/sulu/sulu/releases/tag/3.0.5", "name": "https://github.com/sulu/sulu/releases/tag/3.0.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288: Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T20:19:32.601Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34372", "state": "PUBLISHED", "dateUpdated": "2026-03-31T20:29:14.584Z", "dateReserved": "2026-03-27T13:43:14.369Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T20:19:32.601Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "matchCriteriaId": "BB27FC33-8473-4331-A2D4-4D40F97CB960", "versionEndExcluding": "2.6.22", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "matchCriteriaId": "E9A4E47B-0184-4443-8B0C-B3CB341D65D4", "versionEndExcluding": "3.0.5", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5."}], "id": "CVE-2026-34372", "lastModified": "2026-04-10T01:40:29.000", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T21:16:29.840", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sulu/sulu/releases/tag/2.6.22"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/sulu/sulu/releases/tag/3.0.5"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,2.6.22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.0.0,3.0.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "sulu", "source": "cna", "vendor": "sulu"}, "product": "sulu", "vendor": "sulu"}], "analysis": {"en": {"generated_at": "2026-04-10T02:27:20.365347+00:00", "value": {"mitigation_remediation": ["Upgrade Sulu to version 2.6.22 or later", "Upgrade Sulu to version 3.0.5 or later", "Verify that no older releases are in use", "Restrict admin role assignments to only trusted users"], "summary": {"action": "Update Sulu", "impact": "Unauthorized data access via admin API"}, "threat_synthesis": {"affected_systems": "Sulu CMS versions from 1.0.0 up to, but not including, 2.6.22 and from 3.0.0 up to, but not including, 3.0.5. The issue affects the admin API that serves sub-entity data of contacts. Any deployment of these affected releases that permits users to obtain an Sulu Admin role is vulnerable.", "description_and_impact": "The vulnerability exists in the open-source Sulu content management system, a PHP-based platform built on the Symfony framework. A flaw in the permission checks for certain admin API endpoints allows a user who holds any Sulu Admin role to retrieve sub-entities of contacts even when that user lacks explicit permission for the contacts themselves. This authorization bypass enables an attacker to read sensitive contact data through the API, potentially exposing personally identifiable information. The flaw does not provide remote code execution or denial of service; it is purely an information disclosure issue caused by improper access control.", "risk_and_exploitability": "The Common Vulnerability Scoring System assigns a medium severity with a score of 5.3, and the Exploit Prediction Scoring System rate is below 1%, indicating low exploitation likelihood. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need authenticated access to the Sulu admin API with an admin role, which implies a trusted or compromised account. The attack vector is through HTTP requests to the backend API, so the threat is primarily internal or from compromised credentials. While most chances for exploitation are mitigated by credential protection, any compromise of an admin account would make the flaw immediately actionable."}}}}, "created": "2026-04-02T07:52:55.541462+00:00", "updated": "2026-04-10T09:45:55.898134+00:00", "vendors": ["sulu", "sulu$PRODUCT$sulu"]}