Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Token Reuse
Action: Immediate Patch
AI Analysis

Impact

Craft CMS contains a Time‑of‑Check Time‑of‑Use race condition in its token validation service. The code reads a token’s usage count, verifies it is within allowed limits, and then updates the database in separate non‑atomic operations. An attacker can issue multiple concurrent requests using the same limited‑usage token before the usage count is incremented, allowing the token to be used more times than intended. If the token belongs to a user with higher privileges than the current user, this can elevate the attacker’s access level. The weakness matches CWE‑367.

Affected Systems

Vulnerable Craft CMS releases include version 4.5.0‑RC1 through 4.16.18 and 5.0.0‑RC1 through 5.8.22. The secure releases that fix the race condition are Craft CMS 4.16.19 and 5.8.23. Organisations using any of these versions should verify whether their deployment is affected.

Risk and Exploitability

The CVSS base score is 6.9, indicating a moderate severity. The EPSS score is below 1 %, implying a low probability of exploitation at any given time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an existing, valid impersonation URL with a non‑expired token for a target user, as well as the ability to send concurrent requests and bypass any rate‑limiting controls. Once those conditions are met, the race condition can be triggered to gain elevated privileges.

Generated by OpenCVE AI on April 17, 2026 at 15:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest patched Craft CMS release (4.16.19 or 5.8.23, or later).
  • If an upgrade is not immediately possible, restrict or disable the creation of limited‑usage impersonation tokens and apply strict rate limiting on token usage endpoints.
  • Monitor application logs for repeated usage of the same token and block IPs or sessions exhibiting suspicious patterns.

Generated by OpenCVE AI on April 17, 2026 at 15:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6fx5-5cw5-4897 Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.5.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
Title Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-28T02:13:48.422Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27128

cve-icon Vulnrichment

Updated: 2026-02-28T02:13:42.868Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:02.623

Modified: 2026-02-27T20:06:52.050

Link: CVE-2026-27128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:00:11Z

Weaknesses