PT-2026-44734 · Packagist · Sulu/Sulu
Published
2026-05-18
·
Updated
2026-05-18
CVSS v4.0
2.3
Low
| Vector | AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Impact
The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core.
Patches
A patch is released with Version 2.6.23 and 3.0.5.
Workarounds
Remove the field descriptor by patch the UserController.php File in Sulu Security Bundle.
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Sulu/Sulu