CVE-2026-38587
Description
AI Translation Available
An Insecure Direct Object Reference (IDOR) vulnerability was discovered in ONLYOFFICE DocSpace before 3.2.1. The flaw exists in multiple REST API endpoints. This allows authenticated users with low-level permissions (User or Guest) to retrieve sensitive information, such as the Owner's unique identifier (ID) and profile information, which should only be accessible to administrators.
https://github.com/ONLYOFFICE/DocSpace/blob/master/CHANGELOG.md#security