Primary

Context

Sulu Permission Bypass Vulnerability in Admin API Contacts Sub-Entities Access

Vulnerability

Patched

A vulnerability exists in Sulu, an open-source PHP content management system, allowing users with at least one role permission for the Sulu Admin to access sub-entities of contacts through the admin API. This access is granted without the necessary permissions for contacts themselves. The issue affects Sulu versions 1.0.0 prior to 2.6.22, as well as versions 3.0.0 prior to 3.0.5.

Impact

Exploitation of this vulnerability could lead to unauthorized access to contact sub-entities via the admin API, bypassing normal permission checks.

Remediation

Users can upgrade to Sulu versions 2.6.22 or 3.0.5, where this vulnerability has been patched. For those unable to upgrade, a Symfony Request Listener can be created to check permissions for specific roles.

Added: Mar 31, 2026, 11:20 PM

Updated: Mar 31, 2026, 11:20 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

5.4

remediation

7.7

relevance

5.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sulu Permission Bypass Vulnerability in Admin API Contacts Sub-Entities Access

Vulnerability

Impact

Remediation

Affected Products

Sulu

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating