Description
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
Published: 2026-05-12
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS versions 4.0.0 through 4.17.11 and 5.9.0 through 5.9.17 contain a missing authorization check in the GraphQL Address element resolver. The resolver does not enforce schema scope filtering on top‑level queries, allowing an attacker holding a GraphQL API token scoped to a low‑privilege user group to retrieve every address record in the system. This exposes personally identifiable information such as full names, mailing addresses, organizations, and tax identifiers. The flaw is a classic authorization bypass, classifiable under CWE‑862, and directly impacts data confidentiality.

Affected Systems

The vulnerability affects Craft CMS installations running any version from 4.0.0 up to, but not including, 4.17.12, and from 5.9.0 up to, but not including, 5.9.18. Users of these products should verify that they have not deployed the affected release versions.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker who obtains a GraphQL API token—whether through credential compromise or by creating a token with a limited user group scope—can leverage the API to perform cross‑scope data retrieval. No additional conditions such as elevated server privileges or network access are required beyond the possession of a valid token. The attack vector is thus the GraphQL API and the exploitation path is straightforward: send a top‑level address query using the compromised token and receive all address data.

Generated by OpenCVE AI on May 12, 2026 at 22:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Craft CMS to version 4.17.12 or later, or 5.9.18 or later, which contain the fix for the missing authorization check.
  • If updating is delayed, disable the Address element resolver in GraphQL schema or restrict GraphQL API tokens to the minimum necessary user groups, ensuring no read access to address fields.
  • Audit existing GraphQL API tokens to confirm they are scoped correctly; revoke any tokens that inadvertently grant access to address data.

Generated by OpenCVE AI on May 12, 2026 at 22:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gj2p-p9m4-c8gw Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
History

Thu, 14 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
Title Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:22:37.063Z

Reserved: 2026-05-04T21:24:36.505Z

Link: CVE-2026-44010

cve-icon Vulnrichment

Updated: 2026-05-13T14:22:31.442Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T21:16:15.720

Modified: 2026-05-13T16:16:53.720

Link: CVE-2026-44010

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T09:45:09Z

Weaknesses