{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32300", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T21:16:21.658Z", "datePublished": "2026-03-23T21:40:59.009Z", "dateUpdated": "2026-03-25T19:17:40.942Z"}, "containers": {"cna": {"title": "Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information", "problemTypes": [{"descriptions": [{"cweId": "CWE-285", "lang": "en", "description": "CWE-285: Improper Authorization", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9"}, {"name": "https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce"}, {"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"}, {"name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"}], "affected": [{"vendor": "opensource-workshop", "product": "connect-cms", "versions": [{"version": "< 1.41.1", "status": "affected"}, {"version": ">= 2.0.0, < 2.41.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:40:59.009Z"}, "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch."}], "source": {"advisory": "GHSA-qr6x-wvxr-8hm9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T19:17:22.723073Z", "id": "CVE-2026-32300", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:17:40.942Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32300", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T19:17:22.723073Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T19:17:33.610Z"}}], "cna": {"title": "Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information", "source": {"advisory": "GHSA-qr6x-wvxr-8hm9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "opensource-workshop", "product": "connect-cms", "versions": [{"status": "affected", "version": "< 1.41.1"}, {"status": "affected", "version": ">= 2.0.0, < 2.41.1"}]}], "references": [{"url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9", "name": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce", "name": "https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "name": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285: Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-23T21:40:59.009Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32300", "state": "PUBLISHED", "dateUpdated": "2026-03-25T19:17:40.942Z", "dateReserved": "2026-03-11T21:16:21.658Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-23T21:40:59.009Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "60B8BBDF-82BD-486D-AE17-7F59360E62C3", "versionEndExcluding": "1.41.1", "versionStartIncluding": "1.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "0C11B4F0-DF29-473A-A285-9DA152DDCDE1", "versionEndExcluding": "2.41.1", "versionStartIncluding": "2.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch."}, {"lang": "es", "value": "Connect-CMS es un sistema de gesti\u00f3n de contenido. En versiones de la serie 1.x hasta la 1.41.0 inclusive y versiones de la serie 2.x hasta la 2.41.0 inclusive, un problema de autorizaci\u00f3n impropia en la funci\u00f3n de actualizaci\u00f3n de perfil Mi P\u00e1gina puede permitir la modificaci\u00f3n de informaci\u00f3n de usuario arbitraria. Las versiones 1.41.1 y 2.41.1 contienen un parche."}], "id": "CVE-2026-32300", "lastModified": "2026-03-24T20:40:41.447", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-23T22:16:27.933", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cce"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.41.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[2.0.0,2.41.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "connect-cms", "source": "cna", "vendor": "opensource-workshop"}, "product": "connect-cms", "vendor": "opensource-workshop"}], "analysis": {"en": {"generated_at": "2026-03-24T21:55:25.489323+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Connect CMS to version 1.41.1 or 2.41.1."], "summary": {"action": "Patch Update", "impact": "Unauthorized user data modification"}, "threat_synthesis": {"affected_systems": "The issue affects all Connect CMS releases in the 1.x series up to and including 1.41.0 and in the 2.x series up to and including 2.41.0. The vendor, opensource\u2011workshop, released patches in versions 1.41.1 and 2.41.1 to address the flaw.", "description_and_impact": "Connect CMS contains an improper authorization flaw in the My Page profile update feature that permits an attacker to alter arbitrary user information. The vulnerability is rooted in CWE-285 and CWE-639, indicating that authentication and authorization controls are insufficient. Because of this weakness, an attacker could change profile details, potentially fabricating credentials or personal data, thereby degrading data integrity and possibly enabling further account compromise.", "risk_and_exploitability": "A CVSS score of 8.1 classifies the vulnerability as high severity, while an EPSS score below 1% indicates it is not widely exploited yet. The flaw is reachable remotely via the web interface, so an attacker who obtains web access could send crafted profile update requests, a step that is inferred from the description. Although the vulnerability is not listed in the CISA KEV catalog, the potential for unauthorized data alteration and subsequent privilege escalation remains significant."}}}}, "created": "2026-03-24T10:30:11.366495+00:00", "updated": "2026-03-25T20:36:19.487032+00:00", "vendors": ["opensource-workshop", "opensource-workshop$PRODUCT$connect-cms"]}