Connect CMS: Improper Authorization in the My Page Profile Update Feature Allows Modification of Arbitrary User Information
Description
Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Connect-CMS My Page profile update lacks authorization checks, allowing an attacker to modify arbitrary user information.
Vulnerability
An improper authorization vulnerability exists in the My Page profile update feature of Connect-CMS versions 1.x up to 1.41.0 and 2.x up to 2.41.0. The root cause is that the update method in the profile plugin accepted a user ID from the URL and directly queried the User model with that ID, without verifying that the authenticated user is authorized to modify that specific user's profile [1][2].
Exploitation
The attack surface is the profile update endpoint. An attacker must be authenticated as any user on the system. By manipulating the id parameter in the request URL, they can target any other user's profile for modification, as the server did not restrict updates to the currently logged-in user [2].
Impact
A successful exploit allows an authenticated attacker to arbitrarily modify the profile information of any other user in the system. This could include changing email addresses, login IDs, or other custom user fields, potentially leading to account takeover or privilege escalation [1].
Mitigation
The vulnerability is patched in Connect-CMS versions 1.41.1 and 2.41.1 [3][4]. The fix changes the update method to always operate on the authenticated user's own profile (Auth::user()) rather than accepting a user ID from the request [2]. Users are advised to update to the latest patched version immediately.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
opensource-workshop/connect-cmsPackagist | < 1.41.1 | 1.41.1 |
opensource-workshop/connect-cmsPackagist | >= 2.0.0, < 2.41.1 | 2.41.1 |
Affected products
2- Range: >=1.0, <=1.41.0 || >=2.0, <=2.41.0
- opensource-workshop/connect-cmsv5Range: < 1.41.1
Patches
17c9951738c62Fix: GHSA-qr6x-wvxr-8hm9
3 files changed · +88 −8
app/Plugins/Mypage/ProfileMypage/ProfileMypage.php+7 −7 modified@@ -12,7 +12,6 @@ use App\Plugins\Mypage\MypagePluginBase; use App\Rules\CustomValiLoginIdAndPasswordDoNotMatch; use App\Rules\CustomValiUserEmailUnique; -use App\User; use Illuminate\Support\Facades\Auth; use Illuminate\Support\Facades\Hash; use Illuminate\Support\Facades\Validator; @@ -62,7 +61,6 @@ public function index($request, $id = null) 'themes' => $request->themes, "function" => __FUNCTION__, "plugin_name" => "profile", - "id" => $user->id, "user" => $user, "users_columns" => $users_columns, "users_columns_id_select" => $users_columns_id_select, @@ -75,9 +73,11 @@ public function index($request, $id = null) /** * 更新 */ - public function update($request, $id) + public function update($request, $id = null) { - $user = User::where('id', $id)->first(); + // URLのidではなく、ログインユーザー自身のみを更新対象にする。 + $user = Auth::user(); + $user_id = $user->id; // ユーザーのカラム $users_columns_all = UsersTool::getUsersColumns($user->columns_set_id); @@ -100,11 +100,11 @@ public function update($request, $id) $base_rules = ['required', 'string', 'max:255']; $validator_array['column']['name'] = UsersTool::getDefaultColumnAdditionalRules($base_rules, $users_column); } elseif ($users_column->column_type == UserColumnType::login_id) { - $base_rules = ['required', 'max:255', Rule::unique('users', 'userid')->ignore($id)]; + $base_rules = ['required', 'max:255', Rule::unique('users', 'userid')->ignore($user_id)]; $validator_array['column']['userid'] = UsersTool::getDefaultColumnAdditionalRules($base_rules, $users_column); } elseif ($users_column->column_type == UserColumnType::user_email) { // $validator_array['column']['email'] = ['nullable', 'email', 'max:255', Rule::unique('users')->ignore($id)]; - $base_rules = ['email', 'max:255', new CustomValiUserEmailUnique($request->columns_set_id, $id)]; + $base_rules = ['email', 'max:255', new CustomValiUserEmailUnique($user->columns_set_id, $user_id)]; if ($users_column->required) { array_unshift($base_rules, 'required'); } else { @@ -146,7 +146,7 @@ function ($attribute, $value, $fail) { // チェックしない } else { // バリデータールールをセット - $validator_array = UsersTool::getValidatorRule($validator_array, $users_column, $user->columns_set_id, $id); + $validator_array = UsersTool::getValidatorRule($validator_array, $users_column, $user->columns_set_id, $user_id); } }
resources/views/plugins/mypage/profile/edit_form.blade.php+1 −1 modified@@ -16,7 +16,7 @@ {{-- 登録後メッセージ表示 --}} @include('plugins.common.flash_message') -<form action="{{url('/')}}/mypage/profile/update/{{$id}}" class="form-horizontal" method="POST" name="form_profile"> +<form action="{{url('/')}}/mypage/profile/update" class="form-horizontal" method="POST" name="form_profile"> {{ csrf_field() }} @foreach($users_columns as $column)
tests/Feature/Mypage/ProfileMypageUpdateTest.php+80 −0 added@@ -0,0 +1,80 @@ +<?php + +namespace Tests\Feature\Mypage; + +use App\User; +use Illuminate\Foundation\Testing\RefreshDatabase; +use Tests\TestCase; + +/** + * @runTestsInSeparateProcesses + * @preserveGlobalState disabled + */ +class ProfileMypageUpdateTest extends TestCase +{ + use RefreshDatabase; + + protected function setUp(): void + { + parent::setUp(); + $this->seed(); + } + + /** + * URL引数のIDを指定しても、ログインユーザー以外のプロフィールは更新できない。 + */ + public function testProfileUpdatePathIdCannotUpdateAnotherUser(): void + { + $attacker = User::factory()->create([ + 'name' => 'attacker', + 'userid' => 'attacker-userid', + 'email' => 'attacker@example.com', + 'columns_set_id' => 1, + ]); + + $victim = User::factory()->create([ + 'name' => 'victim', + 'userid' => 'victim-userid', + 'email' => 'victim@example.com', + 'columns_set_id' => 1, + ]); + + $response = $this->actingAs($attacker)->post("/mypage/profile/update/{$victim->id}", [ + 'name' => $attacker->name, + 'userid' => $attacker->userid, + 'email' => 'attacker-updated@example.com', + ]); + + $response->assertStatus(302); + $response->assertRedirect(url('/mypage/profile')); + $response->assertSessionHas('flash_message', '更新しました。'); + + $this->assertSame('attacker-updated@example.com', $attacker->fresh()->email); + $this->assertSame('victim@example.com', $victim->fresh()->email); + } + + /** + * フォーム送信先(IDなし)でもログインユーザーのプロフィールを更新できる。 + */ + public function testProfileUpdateWithoutPathIdUpdatesLoggedInUser(): void + { + $user = User::factory()->create([ + 'name' => 'self-user', + 'userid' => 'self-userid', + 'email' => 'self@example.com', + 'columns_set_id' => 1, + ]); + + $response = $this->actingAs($user)->post('/mypage/profile/update', [ + 'name' => $user->name, + 'userid' => $user->userid, + 'email' => 'self-updated@example.com', + ]); + + $response->assertStatus(302); + $response->assertRedirect(url('/mypage/profile')); + $response->assertSessionHas('flash_message', '更新しました。'); + + $this->assertSame('self-updated@example.com', $user->fresh()->email); + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-qr6x-wvxr-8hm9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32300ghsaADVISORY
- github.com/opensource-workshop/connect-cms/commit/7c9951738c62a1d51b91e9956d1eb756c5d52cceghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/releases/tag/v1.41.1ghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/releases/tag/v2.41.1ghsax_refsource_MISCWEB
- github.com/opensource-workshop/connect-cms/security/advisories/GHSA-qr6x-wvxr-8hm9ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.