CVE-2026-32300 is an improper authorization vulnerability (CWE-285) identified in the open-source content management system Connect-CMS, specifically in the My Page profile update functionality. The flaw exists in versions from the 1.x series up to 1.41.0 and the 2.x series up to 2.41.0, where insufficient authorization checks allow authenticated users with limited privileges to modify arbitrary user information belonging to other users. This vulnerability arises due to improper access control logic, potentially linked to CWE-639 (authorization bypass through user-controlled key). Exploiting this vulnerability requires the attacker to be authenticated but does not require any user interaction, and it can be triggered remotely over the network. The CVSS v3.1 base score is 8.1, reflecting high severity, with attack vector network (AV:N), low attack complexity (AC:L), privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality and integrity (C:H/I:H/A:N). The vulnerability enables attackers to alter sensitive user data, which could lead to privilege escalation, impersonation, or further attacks within the system. The vendor has released patches in versions 1.41.1 and 2.41.1 to address this issue. No public exploits have been reported yet, but the risk remains significant due to the nature of the flaw and the widespread use of Connect-CMS in various organizations.

The vulnerability allows unauthorized modification of arbitrary user information, compromising the confidentiality and integrity of user data within Connect-CMS deployments. Attackers with limited privileges can escalate their access or impersonate other users by altering profile data, potentially gaining access to sensitive information or administrative functions. This can lead to data breaches, loss of trust, and compliance violations for organizations. Since Connect-CMS is used in diverse sectors including government, education, and private enterprises, the impact can be broad, affecting internal and external users. The lack of availability impact means systems remain operational, but the integrity and confidentiality risks are substantial. Organizations failing to patch may face targeted attacks exploiting this flaw to manipulate user accounts and gain unauthorized access to protected resources.

Organizations should immediately upgrade Connect-CMS to versions 1.41.1 or 2.41.1 or later, where the vulnerability is patched. Until upgrades are applied, administrators should restrict access to the My Page profile update feature to trusted users only and monitor user activity logs for suspicious profile modifications. Implement additional access control layers such as web application firewalls (WAFs) with custom rules to detect and block unauthorized profile update attempts. Conduct thorough audits of user permissions to ensure least privilege principles are enforced. Regularly review and update authentication and authorization mechanisms within Connect-CMS deployments. Educate users about the risks of unauthorized data changes and encourage reporting of anomalies. Finally, maintain an incident response plan to quickly address any exploitation attempts.