CVE-2026-44010: CWE-862: Missing Authorization in craftcms cms
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
AI Analysis
Technical Summary
Craft CMS's GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) in versions 4.0.0 to before 4.17.12 and 5.0.0 to before 5.9.18 does not enforce schema scope filtering on top-level queries. This missing authorization (CWE-862) allows a GraphQL API token with limited privileges to read all address data in the system, including data belonging to users outside the token's authorized groups. The exposed data includes sensitive PII such as full names, addresses, organizations, and tax IDs. The vulnerability has a CVSS 4.0 score of 7.1 (high severity). Official fixes were released in versions 4.17.12 and 5.9.18.
Potential Impact
Unauthorized disclosure of sensitive personally identifiable information (PII) including full names, addresses, organizations, and tax IDs. This exposure can lead to privacy violations and potential misuse of personal data. The vulnerability affects all installations of Craft CMS within the specified version ranges that use the GraphQL API with scoped tokens. There is no indication of privilege escalation or remote code execution, but the data exposure risk is significant.
Mitigation Recommendations
Apply the official patches by upgrading Craft CMS to version 4.17.12 or later, or 5.9.18 or later. These versions contain the fix that enforces proper schema scope filtering on GraphQL Address element queries. Since this is not a cloud service, administrators must manually update their installations. Patch status is confirmed by the vendor advisory stating the fix is included in these versions.
CVE-2026-44010: CWE-862: Missing Authorization in craftcms cms
Description
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Craft CMS's GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) in versions 4.0.0 to before 4.17.12 and 5.0.0 to before 5.9.18 does not enforce schema scope filtering on top-level queries. This missing authorization (CWE-862) allows a GraphQL API token with limited privileges to read all address data in the system, including data belonging to users outside the token's authorized groups. The exposed data includes sensitive PII such as full names, addresses, organizations, and tax IDs. The vulnerability has a CVSS 4.0 score of 7.1 (high severity). Official fixes were released in versions 4.17.12 and 5.9.18.
Potential Impact
Unauthorized disclosure of sensitive personally identifiable information (PII) including full names, addresses, organizations, and tax IDs. This exposure can lead to privacy violations and potential misuse of personal data. The vulnerability affects all installations of Craft CMS within the specified version ranges that use the GraphQL API with scoped tokens. There is no indication of privilege escalation or remote code execution, but the data exposure risk is significant.
Mitigation Recommendations
Apply the official patches by upgrading Craft CMS to version 4.17.12 or later, or 5.9.18 or later. These versions contain the fix that enforces proper schema scope filtering on GraphQL Address element queries. Since this is not a cloud service, administrators must manually update their installations. Patch status is confirmed by the vendor advisory stating the fix is included in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-04T21:24:36.505Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a0392cfcbff5d861018bb7d
Added to database: 5/12/2026, 8:51:27 PM
Last enriched: 5/12/2026, 9:07:14 PM
Last updated: 5/13/2026, 4:51:20 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.