Privilege Escalation Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-32267
What is CVE-2026-32267?
CVE-2026-32267 is a privilege escalation vulnerability found in Craft CMS, a popular content management system utilized by various organizations for website management and content delivery. This vulnerability affects versions 4.0.0-RC1 up to (but not including) 4.17.6 and versions 5.0.0-RC1 up to (but not including) 5.9.12. The vulnerability arises from an issue in the UsersController that allows a low-privilege user or an unauthenticated user, given a shared URL, to escalate their permissions to that of an admin. Such an exploitation can grant attackers significant control over the system, allowing them to modify content, access sensitive data, or further compromise the system's integrity. The potential for unauthorized privilege escalation underscores the critical need for timely updates and security awareness within organizations using Craft CMS.
Potential impact of CVE-2026-32267
-
Unauthorized Access and Control: Exploiting this vulnerability can enable attackers to gain administrative rights within Craft CMS, allowing them to manipulate site content, configurations, and user accounts, leading to potential data breaches and operational disruptions.
-
Data Integrity Compromise: With escalated privileges, attackers could alter or delete content, leading to misinformation, loss of critical data, and damage to the organization's reputation, particularly if the CMS is used for public-facing applications.
-
Further System Compromise: An attacker with administrative access can install malicious plugins or introduce malware, potentially spreading beyond the CMS to other interconnected systems, creating a broader security risk for the organization.
Affected Version(s)
cms >= 4.0.0-RC1, < 4.17.6 < 4.0.0-RC1, 4.17.6
cms >= 5.0.0-RC1, < 5.9.12 < 5.0.0-RC1, 5.9.12