CVE-2026-53675: BuddyPress Friends API Authorization Bypass
BuddyPress 14.4.0 has a flaw in its friends REST API that allows any logged-in user to view another user's complete friend list without permission. The vulnerability exists because the API endpoint checks only that someone is authenticated, not whether they should have access to the specific friend list being requested. An attacker with any user account can enumerate and collect the private social connections of any other user on the platform.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-639
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
BuddyPress 14.4.0 contains an insecure direct object reference vulnerability in the friends REST API that allows any authenticated attacker to enumerate another user's complete friend list. Attackers can query the friends endpoint with an arbitrary user_id because the get_items_permissions_check method only verifies that the requester is logged in and never checks ownership of the requested list, resulting in disclosure of users' private social connections.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-53675 is an insecure direct object reference (IDOR) vulnerability affecting BuddyPress 14.4.0's friends REST API endpoint. The vulnerability resides in the get_items_permissions_check method, which performs insufficient authorization validation. While the method verifies that the requester holds an authenticated session (PR:L), it fails to enforce ownership checks or role-based access controls on the requested user_id parameter. This permits authenticated attackers to bypass authorization and directly reference arbitrary user objects, retrieving their friend list data. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).
Business impact
This vulnerability creates privacy and reputational risks for BuddyPress site operators and their user communities. Friend lists often contain sensitive social relationship data that users expect to remain private. Unauthorized enumeration of these lists could facilitate social engineering, targeted harassment, stalking, or competitive intelligence gathering. For platforms operating under data protection regulations such as GDPR or CCPA, unauthorized disclosure of user relationship metadata may trigger compliance obligations and potential liability. The attack requires only a low-privilege authenticated session, meaning any registered user—including free-tier or guest accounts—can execute the attack at scale.
Affected systems
BuddyPress version 14.4.0 is confirmed affected. Users running earlier or later versions should verify their specific release against the vendor advisory to determine applicability. BuddyPress installations with the friends REST API endpoint enabled and user authentication configured are at risk.
Exploitability
The vulnerability is relatively straightforward to exploit. An attacker needs only a valid user account on the target BuddyPress instance. From there, they can directly query the friends endpoint with manipulated user_id parameters to enumerate friend lists across the platform. No user interaction is required, no special network positioning is needed, and exploitation can be automated and scaled. The attack leaves minimal forensic traces unless detailed API access logging is enabled. The CVSS:3.1 score of 4.3 (MEDIUM) reflects the low attack complexity and low privilege requirement, though the impact is limited to confidentiality of social relationship data rather than system integrity or availability.
Remediation
Site administrators should upgrade BuddyPress to a patched version that implements proper authorization checks in the friends REST API endpoint. Verify the specific patched version number in the official BuddyPress security advisory. In the interim, consider disabling public access to the friends REST API if not essential, restricting the endpoint via web application firewall rules, or implementing additional authorization middleware. Review access logs to identify whether unauthorized enumeration has already occurred.
Patch guidance
Consult the official BuddyPress security advisory for the specific patched version addressing CVE-2026-53675. Apply the patch during a maintenance window after testing in a staging environment to ensure compatibility with any custom code or plugins. Verify that the patched version includes authorization checks in the get_items_permissions_check method or its replacement. After patching, confirm that the friends endpoint now properly validates user ownership before returning friend list data.
Detection guidance
Monitor REST API access logs for repeated queries to the /friends endpoint with varying user_id parameters from a single authenticated session or IP address. Establish baselines for normal friend list query patterns per user role. Alert on suspicious patterns such as a single account querying hundreds of distinct user_id values in a short timeframe, or queries originating from automated tools. Enable detailed API audit logging if not already in place. Review access logs from the publication date (2026-06-10) backward to identify potential past exploitation.
Why prioritize this
While the CVSS score is MEDIUM (4.3), this vulnerability warrants prompt attention because: (1) exploitation requires minimal skill and is easily automated, (2) any authenticated account can exploit it regardless of privilege level, (3) the attack is difficult to detect without detailed logging, (4) the data exposed—social relationships—is sensitive and potentially used downstream for further attacks, and (5) regulatory and reputational damage from privacy breaches can be substantial. Organizations should prioritize patching within 2–4 weeks depending on their user base size and sensitivity of exposed data.
Risk score, explained
The CVSS:3.1 score of 4.3 reflects a network-accessible endpoint (AV:N) that is trivial to attack (AC:L) and requires only valid credentials (PR:L) with no user interaction (UI:N). The scope is unchanged (S:U), and the impact is confidentiality loss only (C:L/I:N/A:N). The score appropriately captures a moderate but real privacy risk in a constrained threat model. However, the practical risk may be higher in contexts where friend lists inform downstream targeting or where regulatory exposure is substantial.
Frequently asked questions
Can an attacker exploit this without a user account?
No. The vulnerability requires authentication—an attacker must hold valid credentials for at least one user account on the BuddyPress instance. However, many sites allow free registration or have low-privilege guest accounts, making this requirement minimal in practice.
What data is exposed?
Only the friend list of the target user is disclosed: the identities and user IDs of accounts the target user has friended. Additional profile data (email, phone, etc.) is not directly exposed by this vulnerability, though friend lists can be correlated with other public data for reconnaissance.
Is there an exploit in the wild or active attacks?
CVE-2026-53675 is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, indicating no widespread weaponized exploitation has been reported as of the modification date. However, the simplicity of exploitation means malicious actors could develop proof-of-concepts quickly.
What should I do if I operate a BuddyPress site?
Immediately check your installed version against the vendor advisory. If you are running 14.4.0 or an affected version, plan an upgrade to the patched release within 2–4 weeks depending on your risk tolerance. Enable detailed API access logging and review logs from mid-June 2026 onward for signs of enumeration attacks. Consider temporarily restricting the friends endpoint if urgent patching is not immediately feasible.
This analysis is based on the published CVE record and vendor information current as of the modification date (2026-06-17). Specific patch version numbers, timeline of exploitation in the wild, and full technical details should be verified against the official BuddyPress security advisory. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Organizations should conduct their own risk assessment, test patches in staging environments, and consult with BuddyPress support for installation-specific guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10038MEDIUMCharitable WordPress Plugin IDOR Arbitrary Attachment Deletion Vulnerability
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-11142MEDIUMChrome Paint Same-Origin Policy Bypass Vulnerability
- CVE-2026-11461MEDIUMhermes-agent Authorization Bypass in Resume Endpoint
- CVE-2026-11500MEDIUMWeaviate Authorization Bypass in Static API Key Handler
- CVE-2026-23638MEDIUMKiteworks IDOR Vulnerability in Secure Data Forms – Patch Guidance