PT-2026-29166 · Symfony+1 · Symfony+1
Sh4Dowalker
·
Published
2026-03-30
·
Updated
2026-04-01
·
CVE-2026-34372
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Sulu versions 1.0.0 through 2.6.21
Sulu versions 3.0.0 through 3.0.4
Description
Sulu is a PHP content management system built on the Symfony framework. A user with permission to access the Sulu Admin interface, through at least one role, could access sub-entities of contacts via the admin API even without explicit permission for contacts. This occurs due to insufficient permission checks when accessing contact-related data through the admin API. The admin API endpoint is susceptible to unauthorized data access. The vulnerable parameter is not specified.
Recommendations
Update to Sulu version 2.6.22 or later.
Update to Sulu version 3.0.5 or later.
Create a Symfony Request Listener to verify permissions for specific roles.
Exploit
Fix
Authentication Bypass Using an Alternate Path or Channel
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sulu
Symfony