Description
Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.2.
Published: 2026-01-23
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch
AI Analysis

Impact

The vulnerability arises from a missing authorization check in the Cloudinary WordPress plugin. Because the plugin does not verify a user’s permissions when handling certain requests, an attacker can access or manipulate media that should be restricted. This flaw falls under the CWE-862 "Missing Authorization" weakness. The result is that an unauthorized user with access to the WordPress site can potentially view or modify protected content, compromising confidentiality and integrity of media assets.

Affected Systems

The affected product is the Cloudinary WordPress plugin, version 3.3.2 or earlier. No specific configurations are enumerated beyond the version constraint; the plugin is listed as Cloudinary:Cloudinary in the CNA data.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity. The EPSS score of less than 1% points to a very low probability of exploitation at the time of analysis, and the vulnerability is not currently listed in CISA’s KEV catalog. The likely attack path requires access to the WordPress installation’s web interface or the ability to send crafted HTTP requests to the plugin’s endpoints. Because the flaw is a missing authorization check rather than an injection or code execution vector, the impact is largely limited to unauthorized data access rather than system compromise.

Generated by OpenCVE AI on April 16, 2026 at 01:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Cloudinary WordPress plugin to the latest release (>= 3.3.3) to eliminate the missing authorization check.
  • If updating is not immediately possible, restrict the plugin’s functionality by adjusting WordPress user roles and permissions so that only administrators can access the Cloudinary settings and media operations.
  • Review and tighten the Cloudinary integration settings in WordPress, ensuring that media endpoints are protected and not exposed to unauthenticated users.

Generated by OpenCVE AI on April 16, 2026 at 01:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.0. Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.2.
Title WordPress Cloudinary plugin <= 3.3.0 - Broken Access Control vulnerability WordPress Cloudinary plugin <= 3.3.2 - Broken Access Control vulnerability

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Cloudinary
Cloudinary cloudinary
Wordpress
Wordpress wordpress
Vendors & Products Cloudinary
Cloudinary cloudinary
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cloudinary: from n/a through <= 3.3.0.
Title WordPress Cloudinary plugin <= 3.3.0 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Cloudinary Cloudinary
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:49.311Z

Reserved: 2026-01-23T12:31:58.116Z

Link: CVE-2026-24560

cve-icon Vulnrichment

Updated: 2026-01-23T20:03:03.664Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:13.337

Modified: 2026-04-28T15:16:14.220

Link: CVE-2026-24560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:45:20Z

Weaknesses