Craft CMS, a widely used content management system, suffers from a CSRF vulnerability identified as CVE-2026-29113 affecting versions prior to 4.17.4 and 5.9.7. The vulnerability exists in the /actions/preview/create-token endpoint, which is responsible for generating preview tokens that allow users to view unpublished content. This endpoint improperly accepts a previewToken parameter supplied by an attacker and does not enforce the use of POST requests or require a valid CSRF token. Consequently, an attacker can trick a logged-in editor into minting a preview token chosen by the attacker through a crafted request. Once generated, the attacker can use this token without authentication to access unpublished content within the victim’s authorized preview scope. This bypasses normal access controls and exposes potentially sensitive unpublished data. The vulnerability is classified under CWE-352 (Cross-Site Request Forgery) and has a CVSS 4.0 base score of 2.3, indicating low severity primarily due to the requirement of a logged-in victim and limited impact scope. The flaw was publicly disclosed in March 2026 and has been addressed in Craft CMS versions 4.17.4 and 5.9.7. No public exploits have been reported, but the vulnerability poses a privacy risk for organizations relying on Craft CMS for content management and editorial workflows.

The primary impact of this vulnerability is unauthorized access to unpublished content within Craft CMS installations. Attackers can leverage the CSRF flaw to generate preview tokens tied to a victim editor’s permissions, enabling them to view content not yet published or intended for public consumption. This can lead to premature disclosure of sensitive information, intellectual property leakage, or exposure of confidential editorial materials. While the vulnerability does not allow modification or deletion of content, the confidentiality breach can damage organizational reputation and competitive advantage. The requirement for a logged-in victim editor limits the attack scope, but organizations with multiple editors or public-facing editorial portals remain at risk. Since the attacker can access preview content without authentication once the token is minted, this could facilitate further reconnaissance or social engineering attacks. The low CVSS score reflects the limited impact and exploitation complexity, but the risk remains significant for entities handling sensitive unpublished data.

Organizations should immediately upgrade Craft CMS to versions 4.17.4 or 5.9.7 or later, where this vulnerability is patched. Until upgrades can be applied, administrators should consider restricting editor access to trusted users only and monitor for unusual preview token generation activity. Implementing web application firewall (WAF) rules to detect and block suspicious requests to the /actions/preview/create-token endpoint can reduce exploitation risk. Additionally, enforcing strict Content Security Policy (CSP) headers and SameSite cookie attributes can help mitigate CSRF attack vectors. Educating editors about the risks of clicking on untrusted links while logged in can reduce the likelihood of successful CSRF attacks. Regularly auditing CMS logs for anomalous preview token creation and access patterns is recommended. Finally, developers should review custom plugins or integrations that interact with preview tokens to ensure they do not introduce similar CSRF weaknesses.