Description
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Published: 2026-03-04
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Disclosure
Action: Apply Patch
AI Analysis

Impact

Craft CMS contains a GraphQL directive named @parseRefs that resolves internal reference tags such as {user:1:email}. The element parser that processes this directive does not perform the required authorization checks, creating an Insecure Direct Object Reference flaw. As a result, attackers can read sensitive attributes of any element in the CMS, including data that the attacker should not be able to view. The vulnerability can be exploited by sending crafted GraphQL queries, and it is usable by both authenticated users and unauthenticated visitors when a Public Schema is enabled.

Affected Systems

The affected products are CraftCMS CMS releases prior to 4.17.0‑beta.1 in the 4.x line and prior to 5.9.0‑beta.1 in the 5.x line. Any functional release of those versions that exposes the @parseRefs directive is vulnerable.

Risk and Exploitability

The flaw carries a CVSS base score of 8.7, indicating high severity. The EPSS score is reported as less than 1%, implying a very low current probability of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can target the flaw remotely over GraphQL, and because no privilege escalation is required beyond the existing user or guest permissions, the risk is largely confined to unauthorized data disclosure rather than system compromise.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to a patched release – 4.17.0‑beta.1 or newer in the 4.x line, or 5.9.0‑beta.1 or newer in the 5.x line, to include the missing authorization check.
  • If an upgrade is not immediately possible, block or disable the @parseRefs directive in the GraphQL schema (or remove public schema access for unauthenticated guests) so that the vulnerable parsing logic is no longer reachable.
  • Apply application‑level access controls: configure role‑based permissions or GraphQL middleware to enforce authorization checks on data returned by the @parseRefs directive, ensuring only authorized users can retrieve sensitive element attributes.

Generated by OpenCVE AI on April 17, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7x43-mpfg-r9wj Craft CMS has IDOR via GraphQL @parseRefs
History

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Title Craft affected by IDOR via GraphQL @parseRefs
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T18:00:59.824Z

Reserved: 2026-03-02T21:43:19.928Z

Link: CVE-2026-28696

cve-icon Vulnrichment

Updated: 2026-03-04T18:00:54.892Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:21.050

Modified: 2026-03-05T19:54:51.777

Link: CVE-2026-28696

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses