Description
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.
Published: 2026-03-10
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure of Unpublished Content
Action: Apply Patches
AI Analysis

Impact

Craft CMS allows attackers to influence the preview token creation endpoint at /actions/preview/create-token because the action accepts a previewToken from the request and does not enforce CSRF protection. An authenticated editor with valid session cookies can be tricked into hitting this endpoint and will receive a preview token chosen by the attacker. Once the token is obtained, the attacker can use it in subsequent GET requests without authentication to view unpublished or preview content that the victim is authorized to see. This information disclosure exposes content that is not yet public, potentially compromising competitive advantage, privacy, or intellectual property.

Affected Systems

Vendors: Craft CMS; product: Craft CMS; affected versions: any release earlier than 4.17.4 for the 4.x series or earlier than 5.9.7 for the 5.x series.

Risk and Exploitability

The CVSS score of 2.3 indicates low severity, and the EPSS score of less than 1% means exploitation probability is very low. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted request that forces a logged‑in editor to request a preview token with an attacker‑supplied value. No authentication is required to use the token, so the attacker can retrieve previewed or unpublished content belonging to the victim. The risk is mainly informational disclosure rather than denial of service or remote code execution, but exposure of internal content can have business and privacy consequences.

Generated by OpenCVE AI on April 16, 2026 at 03:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.4 or later, or 5.9.7 or later, depending on your current major release.
  • If an upgrade cannot be performed immediately, temporarily disable the /actions/preview/create-token endpoint or add CSRF protection to enforce that the request originates from the same origin.
  • Configure the application so that it rejects any client‑supplied previewToken values and only generates tokens server-side after verifying the user’s session.

Generated by OpenCVE AI on April 16, 2026 at 03:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vg3j-hpm9-8v5v Craft CMS has a potential information disclosure vulnerability in preview tokens
History

Thu, 12 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.
Title Craft has a potential information disclosure vulnerability in preview tokens
Weaknesses CWE-352
References
Metrics cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T20:06:27.216Z

Reserved: 2026-03-03T21:54:06.710Z

Link: CVE-2026-29113

cve-icon Vulnrichment

Updated: 2026-03-10T20:06:12.418Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:38.060

Modified: 2026-03-12T15:36:11.803

Link: CVE-2026-29113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses