Main Vulnerability Database Vulnerabilities #VU131128

Improper access control in Sulu - #VU131128

Published: May 12, 2026

Vulnerability identifier: #VU131128

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Sulu GmbH

Affected software:
Sulu

Detailed vulnerability description

The vulnerability allows a remote user to disclose potentially sensitive information.

The vulnerability exists due to improper access control in the users endpoint controller when handling requests to the admin API. A remote user can access the exposed apiKey field to disclose potentially sensitive information.

This only has impact if the project uses that field for its own purposes, as the core product does not use it for authentication.

Remediation

Install security update from vendor's website.

Sources

https://github.com/sulu/sulu/security/advisories/GHSA-9m6v-8fxc-4r44
https://github.com/advisories/GHSA-9m6v-8fxc-4r44

Improper access control in Sulu - #VU131128

Detailed vulnerability description

Remediation

Sources

Please verify you're human