Description
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and 2.41.1 contain a patch.
Published: 2026-03-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper authorization flaw in the page content retrieval feature of Connect CMS. An attacker who can target the CMS web interface may request the content of any page, regardless of whether the page is set to private. This permits disclosure of confidential or otherwise sensitive information that should only be visible to authenticated, authorized users. The weakness is a classic access control bypass (CWE‑284).

Affected Systems

Affected versions include all releases of the 1.x series up to and including 1.41.0 and all releases of the 2.x series up to and including 2.41.0. The vendor, OpenSource‑Workshop, released a fix in version 1.41.1 for the 1.x series and version 2.41.1 for the 2.x series. Systems running any earlier release are vulnerable.

Risk and Exploitability

The CVSS base score of 7.5 indicates high severity, but the EPSS score of less than 1% suggests a low likelihood of current exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this flaw by sending crafted requests to the CMS page retrieval endpoint over the network. Because the flaw is purely an authorization bypass, no local privilege escalation or code execution is required, yet the confidentiality impact is significant. The likely attack vector is remote via the web interface.

Generated by OpenCVE AI on March 24, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by updating to Connect CMS version 1.41.1 or 2.41.1.
  • If the update cannot be applied immediately, restrict access to the CMS administration interface using network controls or allow only trusted IP addresses.
  • Monitor web server and CMS logs for unauthorized content retrieval attempts and investigate suspicious activity.

Generated by OpenCVE AI on March 24, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-62ch-j6x7-722j Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature
History

Tue, 24 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensource-workshop
Opensource-workshop connect-cms
Vendors & Products Opensource-workshop
Opensource-workshop connect-cms

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and 2.41.1 contain a patch.
Title Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature
Weaknesses CWE-284
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Opensource-workshop Connect-cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T15:49:20.800Z

Reserved: 2026-03-11T21:16:21.658Z

Link: CVE-2026-32299

cve-icon Vulnrichment

Updated: 2026-03-24T15:49:11.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:27.780

Modified: 2026-03-24T20:38:16.723

Link: CVE-2026-32299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:20Z

Weaknesses