Description
Sulu is an open-source PHP content management system based on the Symfony framework. Prior to versions 2.6.23 and 3.0.6, the password reset tokenand API key generation uses a weak cryptographical hash algorithm. This issue has been patched in versions 2.6.23 and 3.0.6.
Published: 2026-06-01
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Sulu uses an insecure hash algorithm to generate password reset tokens and API keys, making these credentials vulnerable to prediction or brute‑force attacks. The weakness is classified as CWE‑327 and could allow an attacker to gain unauthorized access to user accounts or abuse the system’s API. The vulnerability exists in all releases prior to the fixes applied in versions 2.6.23 and 3.0.6.

Affected Systems

All versions of Sulu before 2.6.23 (for the 2.x series) and before 3.0.6 (for the 3.x series) are affected. The patches that address the weak hash are contained in the 2.6.23 and 3.0.6 releases, so administrators should upgrade to one of those or later. No specific sub‑components are singled out, but any installation that still uses the legacy token generation code is considered vulnerable.

Risk and Exploitability

The CVSS score of 6.9 denotes a medium impact, reflecting significant risk but not immediate catastrophic potential. EPSS information is not available, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vectors are remote and rely on the web interface or API to trigger password resets or request API keys. An attacker who can predict or brute‑force the weak tokens can hijack accounts or perform unauthorized API calls; the exposure depends on whether residual tokens are still in circulation.

Generated by OpenCVE AI on June 1, 2026 at 19:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Sulu to version 2.6.23 or 3.0.6, the first releases that include the hot‑fix for the weak hash algorithm.
  • Regenerate all user API keys and invalidate any existing password reset tokens, ensuring that old, vulnerable credentials are no longer usable.
  • Audit existing API keys and reset tokens to confirm that no legacy, weakly generated tokens remain in use, and verify that new tokens are created using the updated algorithm.

Generated by OpenCVE AI on June 1, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7fv8-6pp7-6h85 Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens
History

Mon, 01 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Sulu
Sulu sulu
Vendors & Products Sulu
Sulu sulu

Mon, 01 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description Sulu is an open-source PHP content management system based on the Symfony framework. Prior to versions 2.6.23 and 3.0.6, the password reset tokenand API key generation uses a weak cryptographical hash algorithm. This issue has been patched in versions 2.6.23 and 3.0.6.
Title Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens
Weaknesses CWE-327
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Sulu Sulu
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-01T19:07:13.574Z

Reserved: 2026-05-13T04:38:01.165Z

Link: CVE-2026-45701

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-01T17:17:11.017

Modified: 2026-06-01T18:16:02.273

Link: CVE-2026-45701

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-01T19:15:11Z

Weaknesses