Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized configuration modification
Action: Immediate Patch
AI Analysis

Impact

Craft CMS versions 4.x before 4.17.8 and 5.x before 5.9.14 allow unauthenticated guest users to access the configuration‑sync updater. By visiting the updater index they can retrieve signed data and invoke state‑changing actions such as regenerate‑yaml and apply‑yaml‑changes. This results in unauthorized modification of the site’s configuration settings, potentially altering functionality, security‑related options or even exposed data. The weakness is a lack of an authentication check for these privileged operations (CWE‑306) and a failure to enforce role‑based permissions (CWE‑862).

Affected Systems

The affected product is Craft CMS from the vendor Craft CMS. The vulnerability applies to all releases in the 4.x line starting at 4.0.0‑RC1 up to, but not including, 4.17.8, and to the 5.x line starting at 5.0.0‑RC1 up to, but not including, 5.9.14. Any installation of these versions that has the configuration sync feature enabled is susceptible.

Risk and Exploitability

The CVSS v3.1 base score is 6.9, indicating a moderate severity that could lead to configuration tampering. The EPSS score is reported as less than 1 %, suggesting that the likelihood of exploitation observed in the wild is currently low, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote, performed through the website’s publicly accessible HTTP/HTTPS interface, where an attacker can send crafted requests to the config‑sync endpoints. Exploitation requires no prior authentication, only knowledge of the endpoint URLs, making it straightforward for an unauthenticated user to trigger the permitted actions.

Generated by OpenCVE AI on March 26, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to 4.17.8 or later, or to 5.9.14 or later, depending on your version branch.
  • If an immediate upgrade is not feasible, block external access to the Config Sync endpoints (for example /admin/config-sync) using a web‑application firewall or server‑level access rules.
  • After the upgrade or blocking, verify that the Config Sync actions are no longer available to unauthenticated users by attempting to access the updater index and confirming that authentication is required.

Generated by OpenCVE AI on March 26, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6mrr-q3pj-h53w Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
Title Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users
Weaknesses CWE-306
CWE-862
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T17:57:50.529Z

Reserved: 2026-03-17T21:17:08.887Z

Link: CVE-2026-33159

cve-icon Vulnrichment

Updated: 2026-03-24T17:57:42.509Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:09.907

Modified: 2026-03-26T17:08:48.920

Link: CVE-2026-33159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:56Z

Weaknesses