PatchSiren cyber security CVE debrief
CVE-2026-38587 ONLYOFFICE CVE debrief
An Insecure Direct Object Reference (IDOR) vulnerability in ONLYOFFICE DocSpace before version 3.2.1 allows authenticated users with low-level permissions (User or Guest) to access sensitive administrative information through multiple REST API endpoints. The flaw enables unauthorized retrieval of the Owner's unique identifier and profile information, which should be restricted to administrators. The vulnerability was published on 2026-05-26 and carries a CVSS 3.1 score of 4.3 (Medium severity). The issue has been addressed in DocSpace version 3.2.1, as documented in the project's security changelog.
- Vendor
- ONLYOFFICE
- Product
- DocSpace
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
Organizations running ONLYOFFICE DocSpace instances with multi-user environments where Guest or standard User accounts are provisioned. System administrators responsible for access control policies and security compliance in document collaboration platforms. Security teams monitoring for IDOR vulnerabilities in REST API implementations.
Technical summary
The vulnerability exists in multiple REST API endpoints within ONLYOFFICE DocSpace versions prior to 3.2.1. The IDOR flaw allows authenticated users with minimal permissions (User or Guest roles) to bypass authorization controls and directly reference objects belonging to the Owner account. This results in unauthorized disclosure of sensitive administrative information including the Owner's unique identifier and profile details. The attack requires network access and valid low-privilege credentials, with no user interaction needed. The confidentiality impact is rated low per CVSS, as the exposure is limited to information disclosure without integrity or availability effects.
Defensive priority
medium
Recommended defensive actions
- Upgrade ONLYOFFICE DocSpace to version 3.2.1 or later to remediate the IDOR vulnerability
- Review REST API endpoint access controls to ensure proper authorization checks are enforced for all sensitive data retrieval operations
- Audit user access logs for potential unauthorized access to owner profile information prior to patching
- Implement defense-in-depth by validating user permissions at both the API gateway and application layers for administrative data endpoints
Evidence notes
The vulnerability is documented in the ONLYOFFICE DocSpace CHANGELOG security section, which confirms the IDOR issue was resolved in version 3.2.1. The NVD record indicates deferred status with CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, reflecting network attack vector, low attack complexity, low privileges required, and low confidentiality impact. CWE-639 (Authorization Bypass Through User-Controlled Key) is identified as the weakness type.
Official resources
-
CVE-2026-38587 CVE record
CVE.org
-
CVE-2026-38587 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-26