Improper Authorization Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-14794

5.3MEDIUM

Key Information:

Vendor

Craft

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-14794?

A vulnerability has been identified in Craft CMS version 4.18.0.1, specifically in the Charts Endpoint's actionGetNewUsersData function, located in src/controllers/ChartsController.php. This flaw arises from inadequate authorization checks related to the userGroupId argument, allowing remote attackers to exploit the weakness. It is advisable to upgrade to version 4.18.1, which includes a patch to resolve this authorization issue.

Affected Version(s)

CMS 4.18.0.0

CMS 4.18.0.1

CMS 4.18.1

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

geochen (VulDB User)
.