CVE-2026-34372: Sulu checks fix permissions for subentities endpoints

March 30, 2026

A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.

References

github.com/advisories/GHSA-6h7h-m7p5-hjqp
github.com/sulu/sulu
github.com/sulu/sulu/releases/tag/2.6.22
github.com/sulu/sulu/releases/tag/3.0.5
github.com/sulu/sulu/security/advisories/GHSA-6h7h-m7p5-hjqp
nvd.nist.gov/vuln/detail/CVE-2026-34372

Code Behaviors & Features

Detect and mitigate CVE-2026-34372 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →