Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
Published: 2026-03-04
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized activation email trigger with potential user enumeration
Action: Immediate Patch
AI Analysis

Impact

CraftCMS versions before 5.9.0‑beta.2 and 4.17.0‑beta.2 expose the actionSendActivationEmail() endpoint to unauthenticated users and miss a permission check for pending accounts. An attacker can send activation emails for any pending user by supplying the user ID, which may be guessed or enumerated. If the attacker also controls the target’s email address, they can activate the account and gain unauthorized access to the system. The weakness is classified as CWE‑639, indicating improper authorization handling.

Affected Systems

All CraftCMS installations running versions earlier than 5.9.0‑beta.2 or 4.17.0‑beta.2 are affected, including 4.0.0, 4.0.0 RC1‑RC3, 4.17.0 beta1, 5.0.0 RC1, 5.9.0 beta1, and any prior releases. Users must verify their current version against these lists.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9 (moderate) and an EPSS score below 1 %, indicating very low to negligible current exploitation probability but still plausible. It is not listed in CISA’s KEV catalog. Attackers can exploit the unauthenticated endpoint to trigger mass activation emails or systematically enumerate user IDs, potentially leading to account takeover if email control is achieved. The lack of immediate exploitation evidence suggests the risk is primarily preventive, but the potential impact warrants rapid remediation.

Generated by OpenCVE AI on April 16, 2026 at 13:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official CraftCMS patches available in version 5.9.0‑beta.2 or 4.17.0‑beta.2 that correct the missing permission checks for the activation email endpoint.
  • If an immediate patch cannot be applied, restrict external access to the "/admin/actions/site/sendActivationEmail" endpoint by configuring authentication or firewall rules to allow only privileged users.
  • Monitor activation email requests for unusual patterns or repeated attempts to identify potential enumeration or abuse attempts.

Generated by OpenCVE AI on April 16, 2026 at 13:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-234q-vvw3-mrfq Craft CMS has unauthenticated activation email trigger with potential user enumeration
History

Thu, 05 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.17.0:beta1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.9.0:beta1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
Title Craft has an unauthenticated activation email trigger with potential user enumeration
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T17:31:39.392Z

Reserved: 2026-03-03T20:51:43.482Z

Link: CVE-2026-29069

cve-icon Vulnrichment

Updated: 2026-03-04T17:31:30.496Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:22.020

Modified: 2026-03-05T10:40:07.113

Link: CVE-2026-29069

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses