Unauthenticated Access Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-33159

6.9MEDIUM

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33159?

Craft CMS, a content management system developed by Pixel & Tonic, contains a vulnerability that allows guest users to access the Config Sync updater index without proper authentication. This flaw permits unauthorized access to signed data and enables state-changing Config Sync actions, such as regenerating YAML files and applying YAML changes. The issue affects versions 4.0.0-RC1 through prior to 4.17.8 and 5.0.0-RC1 through prior to 5.9.14. The security patch addressing this vulnerability has been implemented in versions 4.17.8 and 5.9.14.

Affected Version(s)

cms >= 4.0.0-RC1, < 4.17.8 < 4.0.0-RC1, 4.17.8

cms >= 5.0.0-RC1, < 5.9.14 < 5.0.0-RC1, 5.9.14

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae...
x_refsource_MISC
https://github.com/craftcms/cms/releases/tag/4.17.8
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.