CVE-2026-39354 Overview
CVE-2026-39354 is an authenticated authorization bypass vulnerability affecting Scoold, a Q&A and knowledge sharing platform for teams. Prior to version 1.66.2, the application contains an Insecure Direct Object Reference (IDOR) flaw that allows any authenticated user with low privileges to overwrite existing questions created by other users.
The vulnerability exists in the question creation endpoint where the application fails to properly validate whether the authenticated user has authorization to modify an existing question when a postId parameter is supplied. Since question IDs are publicly exposed in URLs, attackers can easily harvest victim question IDs and overwrite legitimate content with attacker-controlled data.
Critical Impact
Low-privilege authenticated users can overwrite any existing question content, causing direct integrity loss of user-generated content and corrupting discussion threads across the platform.
Affected Products
- Scoold versions prior to 1.66.2
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-39354 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39354
Vulnerability Analysis
This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, commonly known as Insecure Direct Object Reference (IDOR). The flaw resides in Scoold's question submission endpoint at POST /questions/ask.
When processing question submissions, the application accepts a postId parameter that references an existing question object. The critical security failure occurs because the application does not verify that the authenticated user making the request is actually the owner of the referenced question before allowing modifications. This creates a horizontal privilege escalation scenario where any authenticated user can modify content belonging to other users.
The attack is trivial to execute because question IDs are not treated as secrets—they are directly exposed in question URLs visible to all users browsing the platform. An attacker simply needs to copy a question ID from any visible URL and include it in their malicious request.
Root Cause
The root cause is missing authorization validation in the question update logic. When processing the POST /questions/ask endpoint with an existing postId parameter, the application updates the referenced question object without verifying ownership. The application trusts the user-supplied postId value and allows the modification to proceed solely based on the user being authenticated, without checking if that user has permission to modify the specific resource.
Attack Vector
The attack is network-based and requires the attacker to have valid low-privilege credentials on the Scoold platform. The exploitation flow involves:
- The attacker authenticates to the Scoold platform with any valid user account
- The attacker browses the platform and copies a question ID from any visible question URL
- The attacker crafts a POST request to /questions/ask including the victim's question ID as the postId parameter along with attacker-controlled content
- The server processes the request and overwrites the existing question with the attacker's content, destroying the original content and corrupting any associated discussion thread
The vulnerability manifests in the question submission handler where authorization checks are bypassed. An attacker submits a POST request to /questions/ask with a postId parameter containing another user's question identifier. Because the endpoint only validates authentication (that the user is logged in) but not authorization (that the user owns the resource), the overwrite proceeds. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-39354
Indicators of Compromise
- Unexpected modifications to question content where the modifier differs from the original author
- User complaints about questions being altered or replaced with different content
- Audit log entries showing POST requests to /questions/ask with postId parameters referencing questions not owned by the requesting user
- Sudden changes in question metadata timestamps without corresponding legitimate user activity
Detection Strategies
- Monitor access logs for POST requests to /questions/ask that include postId parameters, especially from users who did not create the original question
- Implement integrity monitoring on question content to detect unauthorized modifications
- Correlate authentication logs with content modification events to identify mismatches between content owners and modifiers
- Deploy web application firewall rules to flag suspicious patterns of postId parameter usage
Monitoring Recommendations
- Enable detailed audit logging for all content modification operations including user identity and request parameters
- Configure alerts for question content changes where the authenticated user differs from the question owner
- Regularly review access patterns to the /questions/ask endpoint for anomalous behavior
- Implement change tracking on question objects to maintain historical records of content modifications
How to Mitigate CVE-2026-39354
Immediate Actions Required
- Upgrade Scoold to version 1.66.2 or later immediately to remediate this vulnerability
- Audit existing questions for evidence of unauthorized modifications or content tampering
- Review access logs for suspicious POST requests to /questions/ask with postId parameters
- Consider temporarily restricting question editing capabilities until the patch is applied if immediate upgrade is not possible
Patch Information
The vulnerability is remediated in Scoold version 1.66.2. Organizations should upgrade to this version or later to address the authorization bypass. The fix implements proper ownership validation before allowing question modifications through the postId parameter. Review the GitHub Security Advisory for complete patch details.
Workarounds
- If immediate patching is not feasible, consider implementing a reverse proxy rule to strip or block postId parameters from POST requests to /questions/ask
- Restrict application access to trusted users only until the patch can be deployed
- Increase monitoring on question modification events to quickly detect and respond to exploitation attempts
- Consider taking the Scoold instance offline if it contains sensitive information and cannot be patched immediately
# Upgrade Scoold to patched version
# Follow your deployment method to update to version 1.66.2 or later
# Example for Docker deployments:
docker pull erudika/scoold:1.66.2
docker-compose down && docker-compose up -d
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
