CVE-2026-33159 identifies a critical authentication bypass vulnerability in Craft CMS, a widely used content management system. The flaw exists in versions from 4.0.0-RC1 up to but not including 4.17.8, and from 5.0.0-RC1 up to but not including 5.9.14. Specifically, guest users—those without any authentication—can access the Config Sync updater index, which is intended to be protected. This access allows them to obtain signed data and execute state-changing Config Sync actions such as 'regenerate-yaml' and 'apply-yaml-changes'. These actions modify the CMS configuration files, which control critical system behavior. The vulnerability stems from missing authentication checks on these critical functions, classified under CWE-306 (Missing Authentication for Critical Function) and CWE-862 (Missing Authorization). Exploitation requires no privileges or user interaction and can be performed remotely over the network, increasing the attack surface. The CVSS 4.0 score of 6.9 (medium severity) reflects the ease of exploitation combined with the potential impact on system integrity and availability, though confidentiality impact is limited. No known exploits have been reported in the wild as of now. The vendor addressed this vulnerability in Craft CMS versions 4.17.8 and 5.9.14 by enforcing proper authentication on the Config Sync updater endpoints. Organizations running affected versions should apply these patches promptly to mitigate risk.

The vulnerability allows unauthenticated attackers to manipulate the configuration of Craft CMS installations remotely. By executing state-changing Config Sync actions, attackers can alter YAML configuration files that govern system behavior, potentially leading to service disruption, misconfiguration, or enabling further attacks such as privilege escalation or persistent backdoors. The integrity of the CMS is directly compromised, and availability may be affected if configuration changes cause system failures or downtime. Although confidentiality impact is limited since the vulnerability does not directly expose sensitive data, the ability to modify configurations without authentication poses a significant risk to operational security. Organizations relying on Craft CMS for website or application content management could face defacement, data loss, or downtime, impacting business continuity and reputation. The lack of required authentication and user interaction makes exploitation straightforward for remote attackers, increasing the likelihood of exploitation if patches are not applied.

1. Immediately upgrade Craft CMS to version 4.17.8 or later if using the 4.x branch, or to version 5.9.14 or later if using the 5.x branch. 2. If immediate upgrade is not feasible, restrict access to the Config Sync updater endpoints via network controls such as firewalls or web application firewalls (WAF) to trusted IP addresses only. 3. Implement strict access controls and authentication mechanisms around administrative and configuration endpoints to prevent unauthorized access. 4. Monitor logs for unusual access patterns or attempts to invoke Config Sync actions from unauthenticated sources. 5. Regularly audit CMS configurations and integrity of YAML files to detect unauthorized changes early. 6. Employ defense-in-depth by isolating CMS management interfaces from public networks where possible. 7. Educate administrators about the importance of timely patching and monitoring for suspicious activity related to configuration management.