Craft CMS, a widely used content management system, suffers from a critical authorization vulnerability identified as CVE-2026-32267. This vulnerability exists in versions 4.0.0-RC1 through 4.17.5 and 5.0.0-RC1 through 5.9.11. The root cause is an incorrect authorization check (CWE-863) in the UsersController->actionImpersonateWithToken method, which is intended to allow privileged users to impersonate other users securely. However, due to improper access control, a low-privilege user or even an unauthenticated user who has been sent a shared URL containing a token can exploit this function to escalate their privileges to that of an administrator. This bypasses normal authentication and authorization mechanisms, granting full administrative rights. The vulnerability is exploitable remotely over the network without requiring user interaction or prior authentication, making it highly dangerous. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) reflects that the attack complexity is low, no privileges or user interaction are needed, and the impact on confidentiality, integrity, and availability is high. Although no public exploits have been reported yet, the vulnerability's nature and severity suggest it could be weaponized quickly. The issue was addressed and patched in Craft CMS versions 4.17.6 and 5.9.12, and users are strongly advised to update to these or later versions to prevent exploitation.

The impact of CVE-2026-32267 is severe for organizations using affected versions of Craft CMS. An attacker exploiting this vulnerability can gain full administrative privileges, allowing them to modify, delete, or exfiltrate sensitive content and data managed by the CMS. This can lead to website defacement, data breaches, unauthorized data manipulation, and disruption of services. Since Craft CMS is often used to manage public-facing websites and internal portals, the compromise could damage organizational reputation, cause regulatory compliance violations, and result in financial losses. The vulnerability's ease of exploitation without authentication or user interaction increases the risk of widespread attacks, especially in environments where shared URLs are distributed. Organizations relying on Craft CMS for critical web infrastructure or content delivery are at heightened risk of targeted attacks, data integrity violations, and persistent unauthorized access.

To mitigate this vulnerability, organizations should immediately upgrade Craft CMS to version 4.17.6 or 5.9.12 or later, where the authorization flaw has been fixed. Until the upgrade can be applied, administrators should restrict access to shared URLs that include impersonation tokens and audit any existing shared links for potential misuse. Implement network-level protections such as web application firewalls (WAFs) to detect and block suspicious requests targeting the UsersController->actionImpersonateWithToken endpoint. Review and tighten user role assignments and permissions to minimize the number of users with impersonation capabilities. Monitor CMS logs for unusual impersonation activity or privilege escalations. Additionally, consider disabling or limiting the impersonation feature if it is not essential to business operations. Regularly review and update CMS components and dependencies to ensure timely application of security patches.