CVE-2026-32300

High

Published: 23 March 2026

Published

23 March 2026

Modified

24 March 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0001 2.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32300 is a high-severity Improper Authorization (CWE-285) vulnerability in Opensource-Workshop Connect-Cms. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations for accessing and modifying user profile information, addressing the improper authorization flaw that allows arbitrary user data changes.

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of identified flaws like this improper authorization vulnerability through patching, as provided in Connect-CMS versions 1.41.1 and 2.41.1.

AC-6 Least Privilege partial match

prevent

Employs least privilege to restrict low-privilege users from modifying arbitrary user profiles, mitigating the impact of failed authorization enforcement.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1565 Data Manipulation Impact

Adversaries may insert, delete, or manipulate data in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Improper authorization in profile update directly enables unauthorized account/role modification (T1098), stored data manipulation (T1565), and privilege escalation (T1068) in a remotely accessible CMS (T1190).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Connect-CMS is a content management system. In versions on the 1.x series up to and including 1.41.0 and versions on the 2.x series up to and including 2.41.0, an improper authorization issue in the My Page profile update feature may…

allow modification of arbitrary user information. Versions 1.41.1 and 2.41.1 contain a patch.

Deeper analysisAI

CVE-2026-32300 is an improper authorization vulnerability (CWE-285, CWE-639) in the My Page profile update feature of Connect-CMS, an open-source content management system. It affects versions in the 1.x series up to and including 1.41.0, as well as versions in the 2.x series up to and including 2.41.0. The flaw enables attackers to modify arbitrary user information due to insufficient checks on authorization. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity with significant confidentiality and integrity impacts.

An authenticated attacker with low privileges, such as a registered user, can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to alter any user's profile data, potentially enabling account takeover, privilege escalation through modified roles, or data manipulation across the CMS installation.

Mitigation is available via patches in Connect-CMS versions 1.41.1 and 2.41.1, as detailed in the project's GitHub security advisory (GHSA-qr6x-wvxr-8hm9) and release notes. The fixing commit (7c9951738c62a1d51b91e9956d1eb756c5d52cce) addresses the authorization logic. Security practitioners should prioritize upgrading affected instances and review access controls in similar profile update features.