Description
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch.
Published: 2026-03-23
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized user data modification
Action: Patch Update
AI Analysis

Impact

Connect CMS contains an improper authorization flaw in the My Page profile update feature that permits an attacker to alter arbitrary user information. The vulnerability is rooted in CWE-285 and CWE-639, indicating that authentication and authorization controls are insufficient. Because of this weakness, an attacker could change profile details, potentially fabricating credentials or personal data, thereby degrading data integrity and possibly enabling further account compromise.

Affected Systems

The issue affects all Connect CMS releases in the 1.x series up to and including 1.41.0 and in the 2.x series up to and including 2.41.0. The vendor, opensource‑workshop, released patches in versions 1.41.1 and 2.41.1 to address the flaw.

Risk and Exploitability

A CVSS score of 8.1 classifies the vulnerability as high severity, while an EPSS score below 1% indicates it is not widely exploited yet. The flaw is reachable remotely via the web interface, so an attacker who obtains web access could send crafted profile update requests, a step that is inferred from the description. Although the vulnerability is not listed in the CISA KEV catalog, the potential for unauthorized data alteration and subsequent privilege escalation remains significant.

Generated by OpenCVE AI on March 24, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Connect CMS to version 1.41.1 or 2.41.1.

Generated by OpenCVE AI on March 24, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qr6x-wvxr-8hm9 Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
History

Wed, 25 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opensource-workshop:connect-cms:*:*:*:*:*:*:*:*

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Opensource-workshop
Opensource-workshop connect-cms
Vendors & Products Opensource-workshop
Opensource-workshop connect-cms

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch.
Title Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
Weaknesses CWE-285
CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Opensource-workshop Connect-cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T19:17:40.942Z

Reserved: 2026-03-11T21:16:21.658Z

Link: CVE-2026-32300

cve-icon Vulnrichment

Updated: 2026-03-25T19:17:33.610Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-23T22:16:27.933

Modified: 2026-03-24T20:40:41.447

Link: CVE-2026-32300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:36:19Z

Weaknesses