← Back

CVE-2026-32267

nvd nist
Published: Mar 16, 2026Modified: Mar 17, 2026

JSON object

Loading...
7.7
Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security-advisories@github.com (Secondary)

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

Affected (8)

Products: Craftcms: Craft Cms
Craftcms
1 product
Craft Cms
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Craftcms
Craft Cms
From 4.0.0.1 to 4.17.6
Craft Cms
From 5.0.1 to 5.9.12
Craft Cms
Version 4.0.0
Craft Cms
Version 4.0.0 rc1
Craft Cms
Version 4.0.0 rc2
Craft Cms
Version 4.0.0 rc3
Craft Cms
Version 5.0.0
Craft Cms
Version 5.0.0 rc1

Related CWEs

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (3)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitPatchVendor Advisory
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
ExploitPatchVendor Advisory

Timeline

No history available yet.