The Sprig plugin for Craft CMS is a reactive Twig component framework used to build dynamic front-end components. Versions 2.0.0 through 2.15.1 and 3.0.0 through 3.15.1 contain a vulnerability (CVE-2026-27131) that allows certain privileged users—specifically admin users or those granted explicit access to the Sprig Playground—to expose sensitive information. This includes security keys, credentials, and other configuration data that should remain confidential. The root cause is that the Sprig Playground interface remained accessible even when the Craft CMS 'devMode' was disabled, which is typically used to restrict access in production environments. This accessibility allowed authorized users to run the `hashData()` signing function and potentially extract sensitive data. The vulnerability was addressed in versions 2.15.2 and 3.15.2 by disabling the Sprig Playground by default when devMode is off, with a new configuration option `enablePlaygroundWhenDevModeDisabled` introduced to override this behavior but defaulting to false. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-489 (Leftover Debug Code). The CVSS v3.1 base score is 5.5, indicating a medium severity with network attack vector, low attack complexity, requiring high privileges but no user interaction, and impacting confidentiality significantly while integrity and availability are less affected. No known exploits in the wild have been reported as of the publication date.

This vulnerability primarily impacts the confidentiality of sensitive information within organizations using the affected versions of the Sprig plugin for Craft CMS. Exposure of security keys and credentials can lead to further compromise, including unauthorized access to backend systems, data breaches, and potential lateral movement within the network. Since exploitation requires authenticated access with high privileges, the risk is somewhat contained but still significant in environments where multiple users have admin or elevated permissions. The integrity of data is minimally affected, and availability is not impacted. However, leaked credentials could be leveraged in chained attacks, increasing overall risk. Organizations running production environments with devMode disabled but with the Sprig Playground enabled via override are particularly at risk. The vulnerability could affect web applications relying on Craft CMS for content management, especially those with complex user roles and permissions. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often target exposed sensitive information for follow-on attacks.

Organizations should immediately upgrade the Sprig plugin to version 2.15.2 or 3.15.2 or later, where the vulnerability is patched by disabling the Sprig Playground by default when devMode is off. If upgrading is not immediately possible, administrators should ensure that the Sprig Playground is not enabled in production environments, particularly by verifying that the `enablePlaygroundWhenDevModeDisabled` setting remains false. Review and restrict user permissions to limit access to admin roles and the Sprig Playground only to trusted personnel. Conduct audits of user roles and permissions to minimize the number of users with elevated privileges. Monitor logs for any unusual access patterns to the Sprig Playground or attempts to invoke the `hashData()` function. Implement network segmentation and strong authentication controls to reduce the risk of privilege escalation. Additionally, rotate any potentially exposed credentials and security keys as a precautionary measure. Finally, maintain regular patch management and vulnerability scanning to detect and remediate similar issues promptly.