CVE-2026-34372

Name of the Vulnerable Software and Affected Versions Sulu versions 1.0.0 through 2.6.21 Sulu versions 3.0.0 through 3.0.4

Description Sulu is a PHP content management system built on the Symfony framework. A user with permission to access the Sulu Admin interface, through at least one role, could access sub-entities of contacts via the admin API even without explicit permission for contacts. This occurs due to insufficient permission checks when accessing contact-related data through the admin API. The admin API endpoint is susceptible to unauthorized data access. The vulnerable parameter is not specified.

Recommendations Update to Sulu version 2.6.22 or later. Update to Sulu version 3.0.5 or later. Create a Symfony Request Listener to verify permissions for specific roles.