CVE-2026-38587

Name of the Vulnerable Software and Affected Versions ONLYOFFICE DocSpace versions prior to 3.2.1

Description An Insecure Direct Object Reference (IDOR) flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions, such as User or Guest, to retrieve sensitive information including the Owner's unique identifier (ID) and profile information, which is intended to be accessible only to administrators. IDOR is a type of access control flaw that occurs when an application uses user-supplied input to access objects directly without proper authorization checks.

Recommendations Update to version 3.2.1.