CVE-2026-38587

Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability exists in ONLYOFFICE DocSpace prior to version 3.2.1 [1]. The flaw resides in multiple REST API endpoints that fail to enforce proper authorization checks. Authenticated users with low-level roles such as "User" or "Guest" can bypass access controls to retrieve sensitive information about the portal Owner, including their unique identifier (ID) and profile details.

Exploitation

An attacker must have a valid authenticated session with at least Guest-level permissions. No special privileges or additional prerequisites are required. By crafting direct requests to the vulnerable REST API endpoints, the attacker can enumerate the Owner's personal data without triggering any administrative review or audit mechanism.

Impact

Successful exploitation results in unauthorized disclosure of the Owner's ID and profile information. This violates the principle of least privilege and can lead to further targeted attacks, such as social engineering or account enumeration. The confidentiality of the highest-privilege user is compromised, potentially exposing the portal to broader security risks.

Mitigation

The vulnerability is fixed in ONLYOFFICE DocSpace version 3.2.1 [1]. Users should upgrade to this release or later as soon as possible. No official workaround has been provided for older, unsupported versions. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.