CVE-2026-38587
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
26/05/2026
Last modified:
26/05/2026
Description
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators.
Impact
Base Score 3.x
4.30
Severity 3.x
MEDIUM



