Main Vulnerability Database Vulnerabilities #VU131126

Authentication bypass using an alternate path or channel in Sulu - CVE-2026-34372

Published: May 12, 2026

Vulnerability identifier: #VU131126

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-34372

CWE-ID: CWE-288

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Sulu GmbH

Affected software:
Sulu

Detailed vulnerability description

The vulnerability allows a remote user to disclose contact subentity information.

The vulnerability exists due to improper access control in the subentities endpoints of the admin API when handling requests for contact subentities. A remote user can access subentities of contacts without having permission for contacts to disclose contact subentity information.

Exploitation requires access to the Sulu Admin via at least one role.

How to mitigate CVE-2026-34372

Install security update from vendor's website.

Sources

https://github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp

Authentication bypass using an alternate path or channel in Sulu - CVE-2026-34372

Detailed vulnerability description

How to mitigate CVE-2026-34372

Sources

Please verify you're human