Connect CMS: Information Disclosure Due to Improper Authorization through the Page Content Retrieval Feature
Description
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the page content retrieval feature may allow retrieval of non-public information. Versions 1.41.1 and 2.41.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Connect-CMS 1.x ≤1.41.0 and 2.x ≤2.41.0 have an improper authorization flaw in page content retrieval, allowing unauthorized access to non-public information.
Vulnerability
Overview
CVE-2026-32299 is an improper authorization vulnerability in the page content retrieval feature of Connect-CMS, a content management system. The flaw exists in all versions of the 1.x series up to and including 1.41.0, and all versions of the 2.x series up to and including 2.41.0 [1]. The root cause is a missing or insufficient authorization check when fetching page content, which allows an attacker to bypass intended access controls.
Exploitation
An attacker can exploit this vulnerability by sending crafted requests to the page content retrieval endpoint without proper authentication or authorization. No special privileges or network position are required beyond the ability to reach the CMS instance. The attack surface is the public-facing web interface, and the vulnerability can be triggered without any prior user interaction [1].
Impact
Successful exploitation leads to the retrieval of non-public information, such as restricted pages, drafts, or other sensitive content that should only be accessible to authorized users. This constitutes an information disclosure that could expose confidential data, internal notes, or unpublished materials [1].
Mitigation
The issue has been addressed in versions 1.41.1 and 2.41.1, which contain the necessary authorization fixes [2][4]. Users are strongly advised to upgrade to these patched versions immediately. No workarounds have been publicly documented, and the vendor has not indicated that the vulnerability is being actively exploited in the wild.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opensource-workshop/connect-cmsPackagist | < 1.41.1 | 1.41.1 |
opensource-workshop/connect-cmsPackagist | >= 2.0.0, < 2.41.1 | 2.41.1 |
Affected products
2- Range: <=1.41.0 (1.x) and <=2.41.0 (2.x)
- opensource-workshop/connect-cmsv5Range: < 1.41.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-62ch-j6x7-722jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32299ghsaADVISORY
- github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1ghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1ghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/security/advisories/GHSA-62ch-j6x7-722jghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.