Craft CMS, a popular content management system, suffers from a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability (CVE-2026-27128) affecting versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The vulnerability resides in the token validation service specifically in the handling of tokens that have explicitly limited usage counts, such as single-use impersonation tokens. The method getTokenRoute() reads the token's usage count to verify it is within allowed limits and then updates the usage count in the database. However, these operations are performed in separate, non-atomic steps, allowing a race condition. An attacker who has obtained a valid impersonation URL containing such a token can send multiple concurrent requests to reuse the token multiple times before the database update completes, effectively bypassing the single-use restriction. This can lead to privilege escalation if the impersonation token corresponds to a user with higher permissions than the attacker. Exploitation requires the attacker to have a valid token (obtained through other means), bypass any rate-limiting protections, and successfully execute concurrent requests within a narrow timing window. The vulnerability does not require user interaction but does require privileges to obtain the token initially. The flaw is patched in Craft CMS versions 4.16.19 and 5.8.23. The CVSS 4.0 score of 6.9 indicates medium severity, with network attack vector, high attack complexity, partial confidentiality impact, and no impact on integrity or availability. There are no known exploits in the wild at this time.

This vulnerability can allow an attacker to reuse single-use impersonation tokens multiple times, leading to unauthorized privilege escalation within affected Craft CMS installations. Organizations using vulnerable versions may face risks of unauthorized access to sensitive administrative functions or user accounts with elevated permissions. This could result in data exposure, unauthorized content modifications, or disruption of CMS-managed services. The impact is particularly critical in environments where impersonation tokens are used for administrative or sensitive user operations. Although exploitation requires possession of a valid token and bypassing rate limiting, successful attacks could undermine trust in authentication mechanisms and lead to broader compromise of web applications relying on Craft CMS. Since the vulnerability affects token validation logic, it may also impact audit trails and session integrity. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially in targeted attacks.

Organizations should promptly upgrade Craft CMS to versions 4.16.19 or 5.8.23 or later, where the vulnerability is patched with atomic token usage updates. Until patching is possible, administrators should enforce strict access controls to limit who can generate impersonation tokens and monitor for unusual concurrent access patterns indicative of race condition exploitation. Rate limiting and anomaly detection should be strengthened to prevent rapid concurrent requests using the same token. Additionally, reviewing and restricting the lifetime and scope of impersonation tokens can reduce exposure. Implementing application-layer concurrency controls or database transaction mechanisms to ensure atomic updates of token usage counts can mitigate race conditions. Regular audits of token usage logs and alerting on repeated token reuse attempts can help detect exploitation attempts early. Finally, educating developers and administrators about TOCTOU risks and secure token management practices is recommended.