Craft CMS, a widely used content management system, suffers from a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability identified as CVE-2026-27128. This vulnerability affects versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The issue lies in the token validation service, specifically in the `getTokenRoute()` method, which manages impersonation tokens that have explicit usage limits. The method reads the current usage count of a token, verifies if it is within allowed limits, and then updates the usage count in the database. However, these operations are performed in separate, non-atomic steps, creating a window where concurrent requests can exploit the race condition. An attacker who has obtained a valid impersonation URL containing a token with limited usage can send multiple concurrent requests to reuse a single-use token multiple times before the database reflects the updated usage count. This can allow the attacker to impersonate a user with higher privileges multiple times, effectively escalating their privileges. Exploitation requires the attacker to have a valid impersonation token (obtained through other means) and to bypass any rate-limiting mechanisms in place, which adds complexity to the attack. The vulnerability does not require user interaction but does require privileges to obtain the token initially. The flaw is patched in Craft CMS versions 4.16.19 and 5.8.23. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, high complexity, and requirement for privileges and partial confidentiality impact.

This vulnerability can lead to unauthorized privilege escalation within organizations using affected versions of Craft CMS. Attackers who manage to obtain valid impersonation tokens can exploit the race condition to reuse single-use tokens multiple times, potentially gaining repeated access to higher-privileged user accounts. This can compromise the confidentiality and integrity of sensitive data managed through the CMS, including website content, user information, and administrative controls. Organizations relying on Craft CMS for critical web infrastructure may face risks of unauthorized content modification, data leakage, or further lateral movement within their networks. Although exploitation requires some preconditions (possession of a valid token and bypassing rate limits), the impact on affected systems can be significant, especially in environments with high-value targets or sensitive data. The vulnerability does not directly affect availability but can undermine trust and security posture.

Organizations should immediately upgrade Craft CMS to versions 4.16.19 or 5.8.23 or later, where the vulnerability is patched. In addition to patching, administrators should review and tighten access controls to limit the issuance and distribution of impersonation tokens, ensuring tokens are only granted to trusted users and are time-limited. Implement robust monitoring and alerting for unusual token usage patterns, such as multiple concurrent requests using the same token. Rate limiting should be enforced and tested to prevent bypass attempts. Consider implementing additional application-layer concurrency controls or atomic operations around token usage counts to prevent race conditions. Regularly audit logs for signs of token reuse or suspicious impersonation activity. Educate developers and administrators about secure token handling practices and the risks of TOCTOU race conditions in authentication flows.