CVE-2026-38587 Overview
CVE-2026-38587 is an Insecure Direct Object Reference (IDOR) vulnerability in ONLYOFFICE DocSpace versions before 3.2.1. The flaw resides in multiple REST API endpoints that fail to enforce proper authorization checks on requested objects. Authenticated users holding low-privilege roles such as User or Guest can retrieve sensitive data reserved for administrators. Exposed information includes the Owner's unique identifier and profile details. The weakness is classified under CWE-639: Authorization Bypass Through User-Controlled Key.
Critical Impact
Low-privilege authenticated users can enumerate administrator and Owner account information through unauthorized REST API calls, enabling reconnaissance for follow-on identity-based attacks.
Affected Products
- ONLYOFFICE DocSpace versions prior to 3.2.1
- Self-hosted DocSpace deployments using the affected REST API endpoints
- DocSpace instances exposing API access to User or Guest role accounts
Discovery Timeline
- 2026-05-26 - CVE-2026-38587 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-38587
Vulnerability Analysis
The vulnerability stems from missing object-level authorization on multiple REST API endpoints in ONLYOFFICE DocSpace. When an authenticated client requests a resource identified by a direct reference, the application returns the data without verifying whether the caller's role permits access. This pattern matches [CWE-639], where access control depends on a user-controlled key rather than a server-side authorization decision.
The exposed data includes the workspace Owner's unique identifier and profile information. Administrator identifiers are sensitive because they map low-privilege users to high-value targets for credential attacks, social engineering, and account takeover attempts. Exploitation requires only valid credentials at the lowest privilege tier, including Guest accounts that many deployments grant freely for collaboration.
Root Cause
The root cause is broken access control at the API layer. The affected endpoints accept object identifiers in request parameters and return the corresponding records without checking whether the authenticated session has the role required to view administrative data. Authorization is implied by authentication rather than enforced per object and per field.
Attack Vector
The attack vector is network-based and authenticated. An attacker obtains or is granted a low-privilege account, then issues crafted REST API requests to the vulnerable endpoints. The server responds with Owner identifiers and profile metadata. Code examples are not published by the vendor. See the ONLYOFFICE DocSpace Changelog for the security entry covering this fix.
Detection Methods for CVE-2026-38587
Indicators of Compromise
- REST API requests from User or Guest role accounts to endpoints that return Owner or administrator profile fields
- Repeated enumeration patterns iterating through user identifiers in API parameters
- API responses containing administrator profile fields delivered to low-privilege session tokens
Detection Strategies
- Inspect DocSpace API access logs for non-admin sessions retrieving Owner identifiers or admin profile attributes
- Baseline normal API call patterns per role and alert on deviations from low-privilege accounts
- Correlate authentication events with subsequent high-value API endpoint access to detect reconnaissance
Monitoring Recommendations
- Forward DocSpace application and reverse proxy logs to a centralized analytics platform for role-based access review
- Track Guest account creation and immediate API activity as a behavioral signal
- Monitor outbound API traffic volume per session to detect bulk enumeration of user objects
How to Mitigate CVE-2026-38587
Immediate Actions Required
- Upgrade ONLYOFFICE DocSpace to version 3.2.1 or later on all self-hosted instances
- Audit existing User and Guest accounts and revoke those that are no longer required
- Review API access logs for the period preceding the upgrade to identify possible enumeration activity
Patch Information
ONLYOFFICE addressed CVE-2026-38587 in DocSpace 3.2.1. The fix introduces proper authorization checks on the affected REST API endpoints so that administrator and Owner information is no longer returned to low-privilege roles. Refer to the ONLYOFFICE DocSpace Changelog for the security section covering this release.
Workarounds
- Restrict Guest account provisioning until the upgrade is applied
- Place DocSpace behind a reverse proxy and filter or rate-limit access to sensitive API paths
- Limit network exposure of the DocSpace API to trusted client networks where feasible
# Verify installed DocSpace version after upgrade
docker exec -it onlyoffice-docspace cat /var/www/products/ASC.Files/Server/version.txt
# Example reverse proxy rule to restrict sensitive API paths to admin networks
# nginx snippet
location /api/2.0/people/ {
allow 10.0.0.0/8;
deny all;
proxy_pass http://docspace_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
