CVE-2026-28696: CWE-639: Authorization Bypass Through User-Controlled Key in craftcms cms
CVE-2026-28696 is a high-severity authorization bypass vulnerability in Craft CMS versions prior to 4. 17. 0-beta. 1 and 5. 9. 0-beta. 1. The flaw exists in the GraphQL @parseRefs directive, which parses internal reference tags but fails to enforce authorization checks, allowing both authenticated and unauthenticated users (if a Public Schema is enabled) to access sensitive data. This vulnerability enables attackers to read confidential attributes of any CMS element without proper permissions. Exploitation requires no authentication or user interaction and can be performed remotely over the network.
AI Analysis
Technical Summary
Craft CMS, a popular content management system, contains a critical vulnerability identified as CVE-2026-28696, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability arises from improper authorization checks in the implementation of the GraphQL @parseRefs directive, which is designed to parse internal reference tags such as {user:1:email}. In affected versions (>=4.0.0-RC1 and <4.17.0-beta.1, and >=5.0.0-RC1 and <5.9.0-beta.1), the Elements::parseRefs function does not verify whether the requesting user has permission to access the referenced elements. Consequently, attackers can exploit this flaw to retrieve sensitive attributes from any element within the CMS. Notably, exploitation is possible by unauthenticated users if the CMS has a Public Schema enabled, significantly broadening the attack surface. The vulnerability is remotely exploitable without requiring any privileges or user interaction, making it highly dangerous. The flaw was addressed and fixed in versions 4.17.0-beta.1 and 5.9.0-beta.1 by adding proper authorization checks to the parsing logic. No known exploits have been reported in the wild as of the publication date, but the high CVSS score of 8.7 reflects the critical nature of the issue.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive data stored within the Craft CMS environment, including potentially personal user information, internal configuration details, or other confidential content. This breach of confidentiality can lead to privacy violations, data leakage, and potential compliance failures (e.g., GDPR). Attackers gaining access to sensitive CMS elements could leverage this information for further attacks such as social engineering, privilege escalation, or lateral movement within an organization's infrastructure. Since unauthenticated users can exploit the flaw if a Public Schema is enabled, public-facing Craft CMS installations are particularly at risk. The widespread use of Craft CMS in various industries means that organizations globally could face data exposure, reputational damage, and regulatory penalties if unpatched. The vulnerability does not affect integrity or availability directly but poses a significant risk to data confidentiality.
Mitigation Recommendations
Organizations should immediately upgrade Craft CMS to versions 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should disable the Public Schema feature if it is enabled, as this reduces the risk of unauthenticated exploitation. Additionally, review and restrict GraphQL schema permissions to limit exposure of sensitive elements. Implement network-level access controls to restrict access to the CMS GraphQL endpoint to trusted users or IP ranges where feasible. Monitor CMS logs for unusual GraphQL queries that attempt to access internal references. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious GraphQL requests targeting the @parseRefs directive. Finally, conduct regular security assessments and code reviews of CMS customizations to ensure no additional authorization bypasses exist.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, Netherlands, France, Japan, South Korea, Brazil, India
CVE-2026-28696: CWE-639: Authorization Bypass Through User-Controlled Key in craftcms cms
Description
CVE-2026-28696 is a high-severity authorization bypass vulnerability in Craft CMS versions prior to 4. 17. 0-beta. 1 and 5. 9. 0-beta. 1. The flaw exists in the GraphQL @parseRefs directive, which parses internal reference tags but fails to enforce authorization checks, allowing both authenticated and unauthenticated users (if a Public Schema is enabled) to access sensitive data. This vulnerability enables attackers to read confidential attributes of any CMS element without proper permissions. Exploitation requires no authentication or user interaction and can be performed remotely over the network.
AI-Powered Analysis
Technical Analysis
Craft CMS, a popular content management system, contains a critical vulnerability identified as CVE-2026-28696, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability arises from improper authorization checks in the implementation of the GraphQL @parseRefs directive, which is designed to parse internal reference tags such as {user:1:email}. In affected versions (>=4.0.0-RC1 and <4.17.0-beta.1, and >=5.0.0-RC1 and <5.9.0-beta.1), the Elements::parseRefs function does not verify whether the requesting user has permission to access the referenced elements. Consequently, attackers can exploit this flaw to retrieve sensitive attributes from any element within the CMS. Notably, exploitation is possible by unauthenticated users if the CMS has a Public Schema enabled, significantly broadening the attack surface. The vulnerability is remotely exploitable without requiring any privileges or user interaction, making it highly dangerous. The flaw was addressed and fixed in versions 4.17.0-beta.1 and 5.9.0-beta.1 by adding proper authorization checks to the parsing logic. No known exploits have been reported in the wild as of the publication date, but the high CVSS score of 8.7 reflects the critical nature of the issue.
Potential Impact
The vulnerability allows unauthorized disclosure of sensitive data stored within the Craft CMS environment, including potentially personal user information, internal configuration details, or other confidential content. This breach of confidentiality can lead to privacy violations, data leakage, and potential compliance failures (e.g., GDPR). Attackers gaining access to sensitive CMS elements could leverage this information for further attacks such as social engineering, privilege escalation, or lateral movement within an organization's infrastructure. Since unauthenticated users can exploit the flaw if a Public Schema is enabled, public-facing Craft CMS installations are particularly at risk. The widespread use of Craft CMS in various industries means that organizations globally could face data exposure, reputational damage, and regulatory penalties if unpatched. The vulnerability does not affect integrity or availability directly but poses a significant risk to data confidentiality.
Mitigation Recommendations
Organizations should immediately upgrade Craft CMS to versions 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should disable the Public Schema feature if it is enabled, as this reduces the risk of unauthenticated exploitation. Additionally, review and restrict GraphQL schema permissions to limit exposure of sensitive elements. Implement network-level access controls to restrict access to the CMS GraphQL endpoint to trusted users or IP ranges where feasible. Monitor CMS logs for unusual GraphQL queries that attempt to access internal references. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious GraphQL requests targeting the @parseRefs directive. Finally, conduct regular security assessments and code reviews of CMS customizations to ensure no additional authorization bypasses exist.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-02T21:43:19.928Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a85ed1d1a09e29cb4aedf5
Added to database: 3/4/2026, 4:33:21 PM
Last enriched: 3/4/2026, 4:47:53 PM
Last updated: 3/4/2026, 6:04:16 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-20149: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Cisco Cisco Webex Meetings
MediumCVE-2026-20082: Missing Release of Resource after Effective Lifetime in Cisco Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
HighCVE-2026-20007: Improper Access Control in Cisco Cisco Secure Firewall Threat Defense (FTD) Software
MediumCVE-2026-20006: Error Handling in Cisco Cisco Secure Firewall Threat Defense (FTD) Software
MediumCVE-2025-70218: n/a
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.