Sulu: Weak Cryptographical usage for API Key generation and Reset Tokens
Package
Affected versions
>= 3.0.0-alpha1, <= 3.0.5
<= 2.6.22
Patched versions
3.0.6
2.6.23
Description
Published to the GitHub Advisory Database
May 18, 2026
Reviewed
May 18, 2026
Published by the National Vulnerability Database
Jun 1, 2026
Last updated
Jun 9, 2026
Impact
The password reset tokenand API key generation uses a weak cryptographical hash algorithm.
Patches
Fixed in 2.6.23 and 3.0.6 version.
Workarounds
Patch the related
User.phpandResettingController.phpfile in the SecurityBundle.References