Authorization Flaw in Craft CMS Affects Sensitive Data Access
CVE-2026-28696

8.7HIGH

Key Information:

Vendor: Craftcms
Status: Cms
Vendor: CVE Published:; 4 March 2026

What is CVE-2026-28696?

Craft CMS has a vulnerability in the GraphQL directive @parseRefs, which is designed to parse internal reference tags. This flaw allows both authenticated users and unauthenticated guests (with a Public Schema enabled) to access sensitive attributes of any element in the CMS due to insufficient authorization checks in Elements::parseRefs. As a result, unauthorized users can read data they should not have access to, potentially exposing sensitive information. The issue has been addressed in versions 4.17.0-beta.1 and 5.9.0-beta.1.

Affected Version(s)

cms >= 4.0.0-RC1, < 4.17.0-beta.1 < 4.0.0-RC1, 4.17.0-beta.1

cms >= 5.0.0-RC1, < 5.9.0-beta.1 < 5.0.0-RC1, 5.9.0-beta.1

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/craftcms/cms/commit/4d98a07e47580f1712...

x_refsource_MISC

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 4, 2026
Vulnerability Reserved
Mar 2, 2026

CVE-2026-28696 Data

JSON

Craftcms

What is CVE-2026-28696?

Affected Version(s)

References

CVSS V4

Timeline