The vulnerability exists in the open-source Sulu content management system, a PHP-based platform built on the Symfony framework. A flaw in the permission checks for certain admin API endpoints allows a user who holds any Sulu Admin role to retrieve sub-entities of contacts even when that user lacks explicit permission for the contacts themselves. This authorization bypass enables an attacker to read sensitive contact data through the API, potentially exposing personally identifiable information. The flaw does not provide remote code execution or denial of service; it is purely an information disclosure issue caused by improper access control.

Sulu CMS versions from 1.0.0 up to, but not including, 2.6.22 and from 3.0.0 up to, but not including, 3.0.5. The issue affects the admin API that serves sub-entity data of contacts. Any deployment of these affected releases that permits users to obtain an Sulu Admin role is vulnerable.

The Common Vulnerability Scoring System assigns a medium severity with a score of 5.3, and the Exploit Prediction Scoring System rate is below 1%, indicating low exploitation likelihood. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need authenticated access to the Sulu admin API with an admin role, which implies a trusted or compromised account. The attack vector is through HTTP requests to the backend API, so the threat is primarily internal or from compromised credentials. While most chances for exploitation are mitigated by credential protection, any compromise of an admin account would make the flaw immediately actionable.