Sulu CMS Flaw Grants Unauthorized Admin API Access

CVE Notify is flagging a critical access control vulnerability impacting the open-source Sulu CMS. The issue, designated CVE-2026-34372, affects versions ranging from 1.0.0 up to, but not including, 2.6.22, and from 3.0.0 to before 3.0.5. According to CVE Notify, even users with basic administrative permissions for certain Sulu Admin roles could exploit this flaw to access sensitive sub-entities within the contacts module via the admin API. The kicker? They wouldn’t need explicit permissions for the contacts module itself.

This bypass of intended access controls could open the door for attackers to pivot within an organization’s content management system. While the specifics of what kind of data resides in these ‘sub-entities’ aren’t detailed, the potential for unauthorized data exfiltration or manipulation is clear. The Sulu team has addressed this by releasing patched versions 2.6.22 and 3.0.5, closing the loophole that allowed these privilege escalations.

This serves as a stark reminder that robust access control isn’t just about broad role assignments; it’s about the granular permissions tied to every API endpoint and data subset. Even seemingly minor CMS components can become vectors for compromise if not properly secured.