What is GHSA-9m6v-8fxc-4r44?

GHSA-9m6v-8fxc-4r44 is a security advisory published by GitHub Security Advisories with Low severity. Sulu: Used API Keys may be available via Admin API

Why does GHSA-9m6v-8fxc-4r44 have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

Which products are affected by GHSA-9m6v-8fxc-4r44?

GHSA-9m6v-8fxc-4r44 affects 2 products, including: composer/sulu/sulu:\u003e= 3.0.0-alpha1, \u003c= 3.0.5; composer/sulu/sulu:\u003c= 2.6.22.

GHSA-9m6v-8fxc-4r44LowDisclosed before NVD

Sulu: Used API Keys may be available via Admin API

Vendor

GitHub Security Advisories

Published

May 18, 2026

Last Modified

May 18, 2026

📋 Description

### Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. ### Patches A patch is released with Version 2.6.23 and 3.0.5. ### Workarounds Remove the field descriptor by patch the UserController.php File in Sulu Security Bundle.

🎯 Affected products2

composer/sulu/sulu:>= 3.0.0-alpha1, <= 3.0.5
composer/sulu/sulu:<= 2.6.22

🔗 References (4)

https://github.com/sulu/sulu/security/advisories/GHSA-9m6v-8fxc-4r44
https://github.com/sulu/sulu/releases/tag/2.6.23
https://github.com/sulu/sulu/releases/tag/3.0.6
https://github.com/advisories/GHSA-9m6v-8fxc-4r44