← Back

CVE-2026-33159

nvd nist
Published: Mar 24, 2026Modified: Mar 26, 2026

JSON object

Loading...
6.9
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security-advisories@github.com (Secondary)

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.

Affected (8)

Products: Craftcms: Craft Cms
Craftcms
1 product
Craft Cms
Configuration A
8 vulnerable
Vulnerable SoftwareAffected Versions
Craftcms
Craft Cms
After 4.0.0 to 4.17.8
Craft Cms
After 5.0.0 to 5.9.14
Craft Cms
Version 4.0.0
Craft Cms
Version 4.0.0 rc1
Craft Cms
Version 4.0.0 rc2
Craft Cms
Version 4.0.0 rc3
Craft Cms
Version 5.0.0
Craft Cms
Version 5.0.0 rc1

Related CWEs

CWE-306
Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (4)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Release Notes
Source: security-advisories@github.com
Vendor Advisory

Timeline

No history available yet.