MEDIUM
ONLYOFFICE
CVE published 2026-05-26
CVE-2026-38587
An Insecure Direct Object Reference (IDOR) vulnerability in ONLYOFFICE DocSpace before version 3.2.1 allows authenticated users with low-level permissions (User or Guest) to access sensitive administrative information through multiple REST API endpoints. The flaw enables unauthorized retrieval of the Owner's unique identifier and profile information, which should be restricted to administrators. The vulne [truncated]