Improper Authorization Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-14794
5.3MEDIUM
What is CVE-2026-14794?
A vulnerability has been identified in Craft CMS version 4.18.0.1, specifically in the Charts Endpoint's actionGetNewUsersData function, located in src/controllers/ChartsController.php. This flaw arises from inadequate authorization checks related to the userGroupId argument, allowing remote attackers to exploit the weakness. It is advisable to upgrade to version 4.18.1, which includes a patch to resolve this authorization issue.
Affected Version(s)
CMS 4.18.0.0
CMS 4.18.0.1
CMS 4.18.1
