Listen to this Post
How the Mentioned CVE Works
The vulnerability stems from a flaw in Sulu’s permission handling mechanism for subentities endpoints. When a user possesses at least one role granting access to the Sulu admin interface, the system fails to perform adequate authorization checks specifically for contact subentities accessed via the admin API. Under normal operation, accessing contact-related subentities (such as addresses, emails, or phone numbers) should require explicit permissions on the parent “contacts” module. However, due to the absence of recursive permission validation in the affected versions, a user with minimal admin rights can directly query the subentities endpoints (e.g., /admin/api/contacts//addresses) without holding the required contact permissions. This occurs because the API controller only validates general admin access or role existence but does not verify granular permissions for the associated parent entity. The oversight allows authenticated admin users to enumerate, read, and potentially modify sensitive contact subentity data they should not have access to, leading to unauthorized data exposure.
Platform: Sulu CMS
Version: 2.6.x < 2.6.22, 3.0.x < 3.0.5
Vulnerability : Permission Bypass
Severity: Moderate
date: 2026-03-27
Prediction: 2026-04-02
What Undercode Say:
Check installed version composer show sulu/sulu | grep versions Verify permission exposure curl -X GET -H "Authorization: Bearer $ADMIN_TOKEN" \ https://example.com/admin/api/contacts/1/addresses
Exploit:
Craft API requests to /admin/api/contacts/{id}/addresses, /admin/api/contacts/{id}/emails, or similar subentity routes using a valid admin session token, bypassing parent entity permission checks to exfiltrate or modify unauthorized data.
Protection from this CVE
Upgrade to Sulu version 2.6.22 or 3.0.5. If immediate upgrade is not possible, implement a Symfony Request Listener that intercepts subentity requests and manually verifies parent contact permissions before allowing access.
Impact:
Unauthorized disclosure and modification of contact subentity data (addresses, emails, phone numbers) by users with minimal admin privileges, potentially exposing sensitive personal information.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

