Primary

Context

ONLYOFFICE DocSpace Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Owner Profile Information

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in ONLYOFFICE DocSpace versions prior to 3.2.1. This vulnerability exists in multiple REST API endpoints and allows authenticated users with low-level permissions (User or Guest) to access sensitive information, such as the Owner's unique identifier and profile details, which should be restricted to administrators.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including the Owner's unique identifier and profile details.

Remediation

Users can update to ONLYOFFICE DocSpace version 3.2.1 or later to address this vulnerability.

Added: May 26, 2026, 4:42 PM

Updated: May 26, 2026, 4:42 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

3.1

exploitability

5.2

remediation

0.0

relevance

9.6

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ONLYOFFICE DocSpace Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Owner Profile Information

Vulnerability

Impact

Remediation

Affected Products

ONLYOFFICE DocSpace

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating