CVE-2026-32267: CWE-863: Incorrect Authorization in craftcms cms
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
AI Analysis
Technical Summary
CVE-2026-32267 is an authorization bypass vulnerability identified in Craft CMS, a widely used content management system. The flaw exists in the UsersController->actionImpersonateWithToken method, which improperly validates the privileges of users attempting to impersonate others via a token-based mechanism. Specifically, low-privilege users or even unauthenticated users who have access to a shared URL containing a valid impersonation token can escalate their privileges to administrative level. This vulnerability affects Craft CMS versions from 4.0.0-RC1 up to but not including 4.17.6, and from 5.0.0-RC1 up to but not including 5.9.12. The root cause is an incorrect authorization check (CWE-863), allowing unauthorized privilege escalation without requiring user interaction. The CVSS 4.0 base score is 7.7, reflecting high severity due to network exploitability, low attack complexity, and significant impact on confidentiality, integrity, and availability. No known exploits are publicly reported yet, but the potential for abuse is substantial given the administrative access gained. The vulnerability has been addressed in Craft CMS versions 4.17.6 and 5.9.12 through proper authorization enforcement in the impersonation functionality.
Potential Impact
Exploitation of this vulnerability enables an attacker with minimal privileges or even unauthenticated access via a shared URL to gain full administrative control over the Craft CMS instance. This can lead to unauthorized access to sensitive content, modification or deletion of data, creation of backdoors, and disruption of website availability. Organizations relying on Craft CMS for critical web services, e-commerce platforms, or internal portals face risks of data breaches, reputational damage, and operational downtime. The ability to impersonate admin users undermines trust in user authentication and authorization mechanisms, potentially allowing attackers to pivot to other internal systems if integrated. The widespread use of Craft CMS in various sectors amplifies the potential impact globally.
Mitigation Recommendations
1. Immediately upgrade Craft CMS installations to version 4.17.6 or later, or 5.9.12 or later, where the vulnerability is patched. 2. Review and restrict access to any shared URLs that enable impersonation tokens, ensuring they are only distributed to trusted users. 3. Implement monitoring and alerting for unusual impersonation activities or privilege escalations within the CMS logs. 4. Conduct a thorough audit of user accounts and permissions to detect any unauthorized changes or suspicious admin accounts. 5. If upgrading immediately is not feasible, consider disabling or restricting the UsersController->actionImpersonateWithToken functionality temporarily. 6. Educate administrators and users about the risks of sharing impersonation URLs and enforce strict access controls. 7. Employ web application firewalls (WAF) to detect and block suspicious requests targeting impersonation endpoints.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, Netherlands, France, Japan, South Korea, Brazil, India
CVE-2026-32267: CWE-863: Incorrect Authorization in craftcms cms
Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-32267 is an authorization bypass vulnerability identified in Craft CMS, a widely used content management system. The flaw exists in the UsersController->actionImpersonateWithToken method, which improperly validates the privileges of users attempting to impersonate others via a token-based mechanism. Specifically, low-privilege users or even unauthenticated users who have access to a shared URL containing a valid impersonation token can escalate their privileges to administrative level. This vulnerability affects Craft CMS versions from 4.0.0-RC1 up to but not including 4.17.6, and from 5.0.0-RC1 up to but not including 5.9.12. The root cause is an incorrect authorization check (CWE-863), allowing unauthorized privilege escalation without requiring user interaction. The CVSS 4.0 base score is 7.7, reflecting high severity due to network exploitability, low attack complexity, and significant impact on confidentiality, integrity, and availability. No known exploits are publicly reported yet, but the potential for abuse is substantial given the administrative access gained. The vulnerability has been addressed in Craft CMS versions 4.17.6 and 5.9.12 through proper authorization enforcement in the impersonation functionality.
Potential Impact
Exploitation of this vulnerability enables an attacker with minimal privileges or even unauthenticated access via a shared URL to gain full administrative control over the Craft CMS instance. This can lead to unauthorized access to sensitive content, modification or deletion of data, creation of backdoors, and disruption of website availability. Organizations relying on Craft CMS for critical web services, e-commerce platforms, or internal portals face risks of data breaches, reputational damage, and operational downtime. The ability to impersonate admin users undermines trust in user authentication and authorization mechanisms, potentially allowing attackers to pivot to other internal systems if integrated. The widespread use of Craft CMS in various sectors amplifies the potential impact globally.
Mitigation Recommendations
1. Immediately upgrade Craft CMS installations to version 4.17.6 or later, or 5.9.12 or later, where the vulnerability is patched. 2. Review and restrict access to any shared URLs that enable impersonation tokens, ensuring they are only distributed to trusted users. 3. Implement monitoring and alerting for unusual impersonation activities or privilege escalations within the CMS logs. 4. Conduct a thorough audit of user accounts and permissions to detect any unauthorized changes or suspicious admin accounts. 5. If upgrading immediately is not feasible, consider disabling or restricting the UsersController->actionImpersonateWithToken functionality temporarily. 6. Educate administrators and users about the risks of sharing impersonation URLs and enforce strict access controls. 7. Employ web application firewalls (WAF) to detect and block suspicious requests targeting impersonation endpoints.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-11T15:05:48.398Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69b859da771bdb17492b2db2
Added to database: 3/16/2026, 7:28:26 PM
Last enriched: 3/24/2026, 12:56:19 AM
Last updated: 4/30/2026, 12:01:47 AM
Views: 192
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.