CVE-2026-29069 is a medium-severity authorization bypass vulnerability affecting Craft CMS, a popular content management system. The flaw resides in the actionSendActivationEmail() endpoint, which prior to versions 5.9.0-beta.2 and 4.17.0-beta.2, is accessible without authentication and does not enforce permission checks on pending user accounts. This endpoint allows sending activation emails to users who have registered but not yet activated their accounts. An attacker who can guess or enumerate user IDs can trigger activation emails for any pending user. If the attacker also controls the email address associated with the target user account, they can complete the activation process and gain unauthorized access to the CMS. This bypasses normal authorization controls and allows account takeover without requiring credentials or user interaction. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and low impact on confidentiality. The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to but not including 4.17.0-beta.2, and from 5.0.0-RC1 up to but not including 5.9.0-beta.2. The flaw was publicly disclosed on March 4, 2026, and no known exploits have been reported in the wild. The issue is resolved by adding proper permission checks and restricting access to the activation email endpoint in the fixed beta releases.

This vulnerability allows unauthenticated attackers to activate pending user accounts if they can guess user IDs and control the associated email addresses. The primary impact is unauthorized account activation and access, which can lead to unauthorized content management, data exposure, or further privilege escalation within the CMS environment. Organizations using vulnerable Craft CMS versions may face risks of account takeover, leading to potential website defacement, data leakage, or use of the CMS as a foothold for deeper network compromise. Since the vulnerability requires control over the target email address, the risk is somewhat mitigated but remains significant in environments where email addresses are predictable or attacker-controlled addresses are used during registration. The ease of exploitation (no authentication or user interaction required) and network accessibility of the endpoint increase the threat level. The vulnerability could disrupt the integrity and availability of CMS-managed websites and services, impacting business operations and reputation.

Organizations should immediately upgrade Craft CMS to versions 5.9.0-beta.2 or later, or 4.17.0-beta.2 or later, where the vulnerability is patched. Until upgrades can be applied, administrators should restrict access to the actionSendActivationEmail() endpoint by implementing network-level controls such as IP whitelisting or web application firewall (WAF) rules to block unauthorized requests. Additionally, monitoring and alerting on unusual activation email requests or spikes in activation activity can help detect exploitation attempts. Review user registration and activation workflows to ensure email addresses are verified and that pending accounts cannot be activated without proper authorization. Implement rate limiting on activation email requests to reduce the risk of brute force or enumeration attacks on user IDs. Finally, educate users and administrators about the risk and encourage strong email security practices to prevent attackers from controlling target email accounts.