Listen to this Post
The vulnerability resides in the `/admin/api/users` endpoint. When an authenticated user makes a `GET` request to list or view a specific user, the response includes an `apiKey` field. The backend controller (UserController.php) does not filter this sensitive field; it is automatically returned for any user the requester is allowed to see. The exposure occurs solely due to improper output filtering—there is no access control bypass on the endpoint itself. An attacker must already have valid admin credentials and at least one role granting access to the user endpoint. Once they view a user (e.g., GET /admin/api/users/1), the API payload contains a plaintext `apiKey` attribute. While Sulu’s core never uses this `apiKey` for authentication, projects may store third‑party tokens or custom secret values in this field. If a site uses `apiKey` for any purpose, an attacker with low privileges can retrieve it. The issue is exacerbated because the API returns the key regardless of whether the target user has a role that should see it. The workaround involves manually editing `UserController.php` to remove the field descriptor before serialization, preventing the key from being included in any API response.
dailycve form
Platform: `Sulu CMS`
Version: 2.6.x≤2.6.22,3.0.x≤3.0.5
Vulnerability : `Information Disclosure`
Severity: `Low`
date: `2026‑05‑12`
Prediction: `2026‑05‑18`
What Undercode Say:
Check your installed Sulu version
composer show sulu/sulu | grep versions
Simulate a request that exposes the apiKey field
curl -X GET -H "Authorization: Bearer $ADMIN_TOKEN" \
https://example.com/admin/api/users/1
Example response showing the leaked apiKey
{ "id": 1, "username": "admin", "apiKey": "sk_live_abcd1234", ... }
Exploit:
Authenticate to the Sulu admin interface. Send a `GET` request to `/admin/api/users` or `/admin/api/users/{id}` using your session token. Inspect the JSON response for the `apiKey` field, which will contain the user’s API key in plaintext.
Protection from this CVE
- Upgrade to Sulu 2.6.23 or 3.0.6 (patched versions).
- If upgrading is not possible, edit `UserController.php` in the Sulu Security Bundle and remove the `apiKey` field descriptor from the serialization configuration.
- Alternatively, implement a Symfony event listener that strips the `apiKey` property from the API response.
Impact:
Low – Exposure of `apiKey` values that may be used by projects for external integrations or custom authentication. The Sulu core itself does not rely on these keys, limiting the direct damage, but leaked secrets could lead to lateral movement or compromise of third‑party services if the key grants access to other systems.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

