CVE-2026-32299: Improper Authorization and Data Leakage in Connect-CMS
Vulnerability ID: CVE-2026-32299
CVSS Score: 7.5
Published: 2026-03-23
Connect-CMS versions prior to 1.41.1 and 2.41.1 contain an improper authorization vulnerability in the content retrieval logic. The flaw allows unauthenticated remote attackers to retrieve non-public information by exploiting an incomplete route coverage implementation and a missing frame-to-page ID validation check.
TL;DR
Unauthenticated attackers can read restricted content in Connect-CMS due to flawed authorization middleware and missing frame-to-page validation.
Technical Details
- CWE ID: CWE-284 (Improper Access Control)
- Attack Vector: Network
- CVSS v3.1: 7.5 (High)
- Impact: Confidentiality Loss
- Privileges Required: None
- Exploit Status: Unexploited
- KEV Status: Not Listed
Affected Systems
- Connect-CMS 1.x < 1.41.1
- Connect-CMS 2.x < 2.41.1
-
connect-cms: < 1.41.1 (Fixed in:
1.41.1) -
connect-cms: >= 2.0.0, < 2.41.1 (Fixed in:
2.41.1)
Code Analysis
Commit: 8ef15cd
Fix improper authorization in content retrieval for version 1.x series
Commit: c2519d7
Fix improper authorization in content retrieval for version 2.x series
Mitigation Strategies
- Upgrade Connect-CMS to a patched version (1.41.1 or 2.41.1)
- Implement centralized middleware coverage for all data retrieval endpoints
- Enforce strict entity relationship validation (IDOR prevention) in custom plugins
Remediation Steps:
- Identify the major version of the deployed Connect-CMS instance.
- Download and apply the 1.41.1 patch for 1.x instances, or the 2.41.1 patch for 2.x instances.
- Monitor web server logs for mismatched page_id and frame_id combinations targeting /json/ and /download/ routes.
- Audit any custom Connect-CMS plugins to ensure they do not bypass standard middleware authorization checks.
References
Read the full report for CVE-2026-32299 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)