Description
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators.
Published: 2026-05-26
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference in several ONLYOFFICE DocSpace REST API endpoints that permits users with basic or guest roles to obtain data that should be restricted to administrators, such as the owner’s unique identifier and personal profile records. Because the flaw relies on insufficient authorization checks, a logged‑in user can simply request the resource using a predictable or enumerated identifier and receive the sensitive data. This enables a privacy breach and potential misuse of personal information. The weakness is characterized by improper input validation and lack of proper access controls, leading to information disclosure.

Affected Systems

ONLYOFFICE DocSpace versions before 3.2.1, where the REST API exposed owner identifiers and profile data to non‑administrator users.

Risk and Exploitability

Exploitation requires only an authenticated User or Guest account; no special privileges or exploit code are needed. The attack vector is a direct API call that returns sensitive information. While no EPSS score is available and the issue is not listed in the CISA KEV catalog, the confidentiality impact is significant, as the system reveals personal identifiers that could enable further social engineering or targeted attacks. The risk is primarily a privacy breach rather than a code‑execution or denial‑of‑service scenario.

Generated by OpenCVE AI on May 26, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ONLYOFFICE DocSpace to version 3.2.1 or later, where the IDOR issue is fixed.
  • Restrict API endpoints that expose owner identifiers and profile data to administrator roles only.
  • Audit current role permissions and remove any User or Guest access to those sensitive endpoints.
  • Review and tighten authorization checks on all REST API resources to enforce least‑privilege access controls.

Generated by OpenCVE AI on May 26, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 16:45:00 +0000

Type Values Removed Values Added
Title Insecure Direct Object Reference in ONLYOFFICE DocSpace REST API Enables Sensitive Data Exposure for Low-Permission Users
Weaknesses CWE-639

Tue, 26 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T14:27:34.283Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38587

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-26T16:16:23.920

Modified: 2026-05-26T16:16:23.920

Link: CVE-2026-38587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-26T16:30:10Z

Weaknesses