Craft CMS, a popular content management system, contains a critical vulnerability identified as CVE-2026-28696, categorized under CWE-639 (Authorization Bypass Through User-Controlled Key). The vulnerability arises from improper authorization checks in the implementation of the GraphQL @parseRefs directive, which is designed to parse internal reference tags such as {user:1:email}. In affected versions (>=4.0.0-RC1 and <4.17.0-beta.1, and >=5.0.0-RC1 and <5.9.0-beta.1), the Elements::parseRefs function does not verify whether the requesting user has permission to access the referenced elements. Consequently, attackers can exploit this flaw to retrieve sensitive attributes from any element within the CMS. Notably, exploitation is possible by unauthenticated users if the CMS has a Public Schema enabled, significantly broadening the attack surface. The vulnerability is remotely exploitable without requiring any privileges or user interaction, making it highly dangerous. The flaw was addressed and fixed in versions 4.17.0-beta.1 and 5.9.0-beta.1 by adding proper authorization checks to the parsing logic. No known exploits have been reported in the wild as of the publication date, but the high CVSS score of 8.7 reflects the critical nature of the issue.

The vulnerability allows unauthorized disclosure of sensitive data stored within the Craft CMS environment, including potentially personal user information, internal configuration details, or other confidential content. This breach of confidentiality can lead to privacy violations, data leakage, and potential compliance failures (e.g., GDPR). Attackers gaining access to sensitive CMS elements could leverage this information for further attacks such as social engineering, privilege escalation, or lateral movement within an organization's infrastructure. Since unauthenticated users can exploit the flaw if a Public Schema is enabled, public-facing Craft CMS installations are particularly at risk. The widespread use of Craft CMS in various industries means that organizations globally could face data exposure, reputational damage, and regulatory penalties if unpatched. The vulnerability does not affect integrity or availability directly but poses a significant risk to data confidentiality.

Organizations should immediately upgrade Craft CMS to versions 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should disable the Public Schema feature if it is enabled, as this reduces the risk of unauthenticated exploitation. Additionally, review and restrict GraphQL schema permissions to limit exposure of sensitive elements. Implement network-level access controls to restrict access to the CMS GraphQL endpoint to trusted users or IP ranges where feasible. Monitor CMS logs for unusual GraphQL queries that attempt to access internal references. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious GraphQL requests targeting the @parseRefs directive. Finally, conduct regular security assessments and code reviews of CMS customizations to ensure no additional authorization bypasses exist.