The vulnerability is an Insecure Direct Object Reference in several ONLYOFFICE DocSpace REST API endpoints that permits users with basic or guest roles to obtain data that should be restricted to administrators, such as the owner’s unique identifier and personal profile records. Because the flaw relies on insufficient authorization checks, a logged‑in user can simply request the resource using a predictable or enumerated identifier and receive the sensitive data. This enables a privacy breach and potential misuse of personal information. The weakness is characterized by improper input validation and lack of proper access controls, leading to information disclosure.

ONLYOFFICE DocSpace versions before 3.2.1, where the REST API exposed owner identifiers and profile data to non‑administrator users.

Exploitation requires only an authenticated User or Guest account; no special privileges or exploit code are needed. The attack vector is a direct API call that returns sensitive information. The CVSS score is 4.3, indicating a moderate risk. While no EPSS score is available and the issue is not listed in the CISA KEV catalog, the confidentiality impact is significant, as the system reveals personal identifiers that could enable further social engineering or targeted attacks. The risk is primarily a privacy breach rather than a code‑execution or denial‑of‑service scenario.