Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
Published: 2026-03-16
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

Craft CMS permits a low‑privilege or unauthenticated user who receives a shared URL to elevate their privileges to administrator by calling the UsersController->actionImpersonateWithToken() method. The vulnerability is an instance of arbitrary account impersonation (CWE‑863) that results in full administrative access without the need for valid credentials.

Affected Systems

Affected Craft CMS releases include all versions from 4.0.0‑RC1 up to but not including 4.17.6, as well as from 5.0.0‑RC1 up to but not including 5.9.12. The patch is incorporated in 4.17.6 and 5.9.12 respectively.

Risk and Exploitability

The CVSS score of 7.7 indicates a high impact, while the EPSS score of <1% suggests the likelihood of exploitation is low. The issue is not listed in CISA’s KEV catalog. Attackers can exploit this remotely by providing a crafted link that targets the impersonate endpoint, requiring only low‑privilege or unauthenticated access to trigger the privilege escalation.

Generated by OpenCVE AI on March 17, 2026 at 18:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Craft CMS to version 4.17.6 or later, or 5.9.12 or later.
  • Verify the upgrade by confirming the current CMS version through the admin panel or a version query endpoint.
  • If upgrading is not immediately feasible, restrict access to shared URLs, disable or restrict the impersonate endpoint via configuration, and monitor for unauthorized admin account creation.

Generated by OpenCVE AI on March 17, 2026 at 18:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cc7p-2j3x-x7xf Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
History

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Tue, 17 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

 cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Tue, 17 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 16 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
Title Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
Weaknesses CWE-863
References
Metrics cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T15:43:25.399Z

Reserved: 2026-03-11T15:05:48.398Z

Link: CVE-2026-32267

cve-icon Vulnrichment

Updated: 2026-03-17T14:20:56.913Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T20:16:19.480

Modified: 2026-03-17T17:44:31.020

Link: CVE-2026-32267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:56Z

Weaknesses