CVE-2026-32299: Improper Authorization and Data Leakage in Connect-CMS

Connect-CMS is a content management system that relies on a hierarchical structure of pages and content frames. Pages represent the navigational structure, while frames act as plugin instances that render specific content on those pages. The application uses a middleware-based approach to enforce visibility and IP-based access restrictions across these resources.

CVE-2026-32299 is an improper authorization vulnerability (CWE-284) affecting the 1.x and 2.x branches of Connect-CMS. The flaw resides in the content retrieval feature, specifically within the route authorization middleware and the frame validation logic. Unauthenticated remote attackers can exploit this vulnerability to extract non-public information from the application.

The vulnerability exposes restricted content frames attached to private or unpublished pages. Attackers achieve this by manipulating route parameters to bypass middleware checks that were incorrectly constrained to a hardcoded list of routes. The impact is limited to data confidentiality, but it requires no elevated privileges or user interaction to execute.

The root cause of CVE-2026-32299 involves two distinct logical failures in the Connect-CMS architecture. The first failure exists within the ConnectPage middleware (app/Http/Middleware/ConnectPage.php), which determines whether an incoming request requires authorization checks. The middleware used a hardcoded method named isPageLimitCheckRoute to define the scope of its enforcement.

Prior to the patch, critical content retrieval endpoints were omitted from this method. Routes such as get_json, post_json, get_download, and post_download bypassed the checkPageForbidden logic entirely. This architectural oversight allowed direct, unauthenticated access to endpoints designed to serve plugin-specific JSON data and file attachments.

The second failure is an Insecure Direct Object Reference (IDOR) vulnerability in the controller logic. Connect-CMS routes typically accept both a page_id and a frame_id. The backend controllers verified that the requested page_id was accessible to the user, but they failed to validate the relationship between the page_id and the frame_id.

An attacker could supply a publicly accessible page_id alongside a frame_id that belonged to a restricted page. Because the controller only checked the permissions of the page_id, the authorization check would pass. The application would then fetch and return the content for the restricted frame_id.

The remediation for CVE-2026-32299 required modifications to both the middleware and the controllers. The patches were introduced in commits 8ef15cdc310fc784ae3755f49130da61ebba1bea and c2519d7983e850bb45dd60cea99db0fe97ed6edd. The fix addresses both the route coverage omissions and the entity relationship validation.

The developers expanded the isPageLimitCheckRoute method in ConnectPage.php to include the previously vulnerable routes. This ensures that requests targeting JSON data and downloads are subject to the same visibility and IP restrictions as standard page requests. The middleware now acts as a consistent gatekeeper for all content-serving endpoints.

To address the IDOR vulnerability, the patch introduces a new method isValidPageAndFrame within the middleware. This function retrieves the frame object corresponding to the provided route_frame_id and compares its internal page_id against the route_page_id supplied in the URL. If the IDs do not match, the middleware rejects the request.

// app/Http/Middleware/ConnectPage.php (Patched)
private function isValidPageAndFrame($request)
{
    $route_page_id = $request->route('page_id');
    $route_frame_id = $request->route('frame_id');
    
    $frame = $request->attributes->get('frame');
    if (empty($frame)) {
        return false;
    }
    
    // Validates that the requested frame actually belongs to the requested page
    return ((int)$frame->page_id === (int)$route_page_id);
}

Additionally, the DefaultController.php methods invokeGetJson and invokePostDownload were updated. They now explicitly check for an http_status_code attribute set by the middleware. If an authorization failure occurs, the controller aborts execution immediately rather than returning the requested frame data.

Exploitation of CVE-2026-32299 requires no specialized tools and can be executed via standard HTTP GET or POST requests. The attacker must operate over the network, but no prior authentication or session establishment is necessary. The exploit path relies solely on enumerating or guessing valid integer IDs for pages and frames.

The first step involves identifying a valid page_id that is configured for public access. This serves as the authorization anchor. The attacker then enumerates frame_id values, targeting frames that are attached to non-public pages. The sequential nature of these integer IDs makes enumeration highly feasible.

The attacker constructs a request targeting one of the omitted routes, such as /json/contents/show/{page_id}/{frame_id}. By combining the public page_id with the restricted frame_id, the attacker satisfies the flawed controller logic. The middleware ignores the route, and the controller processes the request based on the public page's permissions.

The application responds with the JSON payload containing the contents of the restricted frame. For download routes, the attacker can retrieve metadata or file contents associated with non-public attachments. This allows comprehensive mapping and extraction of sensitive data stored within the CMS.

The vulnerability carries a CVSS v3.1 base score of 7.5, reflecting a high severity issue centered entirely on confidentiality loss. The attack vector is strictly network-based (AV:N), and the exploit complexity is low (AC:L). The absence of required privileges (PR:N) or user interaction (UI:N) makes this flaw highly accessible to automated exploitation.

The primary consequence is the unauthorized disclosure of information stored within Connect-CMS. This includes text content, plugin data, and uploaded files that administrators explicitly marked as private or restricted. Depending on the site's purpose, this data could range from draft blog posts to sensitive internal company documents.

The integrity and availability of the system remain unaffected (I:N, A:N). Attackers cannot modify content, delete frames, or disrupt the operation of the CMS through this specific vector. The risk is strictly constrained to read-only access of data managed by the frame subsystem.

The primary remediation for CVE-2026-32299 is to upgrade the Connect-CMS installation to a patched version. Administrators running the 1.x series must update to version 1.41.1. Deployments using the 2.x series must upgrade to version 2.41.1. These releases contain the comprehensive middleware and controller fixes necessary to prevent the attack.

If immediate patching is not possible, administrators should monitor web server access logs for anomalous behavior. Security teams should look for high-volume requests targeting the /json/ and /download/ endpoint paths. Specifically, requests combining known public page IDs with a rapidly iterating sequence of frame IDs strongly indicate enumeration attempts.

Organizations developing custom plugins for Connect-CMS must review their codebase. Developers must ensure that all custom content retrieval endpoints explicitly validate the relationship between requested entities. Relying solely on the parent object's authorization state without verifying ownership of the child object introduces significant risk.