CVE-2026-34832: CWE-639: Authorization Bypass Through User-Controlled Key in Erudika scoold
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
AI Analysis
Technical Summary
CVE-2026-34832 is an authorization bypass vulnerability (CWE-639) in the Scoold Q&A platform before version 1.66.1. The vulnerability allows any authenticated user with low privileges to delete feedback posts submitted by other users by sending a POST request to /feedback/{id}/delete with the target feedback ID. The deletion handler checks only for authentication but fails to enforce object ownership or elevated privileges, enabling unauthorized deletion of feedback items. This flaw was confirmed by successful deletion of another user's feedback by a non-privileged account. The issue is resolved in Scoold version 1.66.1.
Potential Impact
The vulnerability allows unauthorized deletion of feedback posts by any logged-in user without requiring moderator or admin privileges. This can lead to loss of user-generated content and potential disruption of feedback integrity within the platform. There is no confidentiality or availability impact reported, but the integrity of feedback data is compromised.
Mitigation Recommendations
Upgrade Scoold to version 1.66.1 or later, where this authorization flaw has been patched. Prior to upgrading, restrict access to feedback deletion endpoints to trusted users only if possible. Patch status is confirmed as fixed in version 1.66.1.
CVE-2026-34832: CWE-639: Authorization Bypass Through User-Controlled Key in Erudika scoold
Description
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/{id}/delete. The handler enforces authentication but does not enforce object ownership (or moderator/admin authorization) before deletion. In verification, a second non-privileged account successfully deleted a victim account's feedback item, and the item immediately disappeared from the feedback listing/detail views. This issue has been patched in version 1.66.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-34832 is an authorization bypass vulnerability (CWE-639) in the Scoold Q&A platform before version 1.66.1. The vulnerability allows any authenticated user with low privileges to delete feedback posts submitted by other users by sending a POST request to /feedback/{id}/delete with the target feedback ID. The deletion handler checks only for authentication but fails to enforce object ownership or elevated privileges, enabling unauthorized deletion of feedback items. This flaw was confirmed by successful deletion of another user's feedback by a non-privileged account. The issue is resolved in Scoold version 1.66.1.
Potential Impact
The vulnerability allows unauthorized deletion of feedback posts by any logged-in user without requiring moderator or admin privileges. This can lead to loss of user-generated content and potential disruption of feedback integrity within the platform. There is no confidentiality or availability impact reported, but the integrity of feedback data is compromised.
Mitigation Recommendations
Upgrade Scoold to version 1.66.1 or later, where this authorization flaw has been patched. Prior to upgrading, restrict access to feedback deletion endpoints to trusted users only if possible. Patch status is confirmed as fixed in version 1.66.1.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T20:52:53.284Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69cec5aae6bfc5ba1dfbd81e
Added to database: 4/2/2026, 7:38:18 PM
Last enriched: 4/9/2026, 10:47:21 PM
Last updated: 5/20/2026, 7:22:09 AM
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.