{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/craft-cms/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms (\u003e= 5.0.0, \u003c 5.9.18)","cms (\u003e= 4.0.0, \u003c 4.17.12)","Craft CMS Pro"],"_cs_severities":["high"],"_cs_tags":["craftcms","graphql","pii","disclosure"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eA missing authorization check in Craft CMS Pro\u0026rsquo;s GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) allows unauthorized access to sensitive user data. Specifically, a GraphQL API token with limited permissions (e.g., read access to a single low-privilege user group) can bypass intended scope restrictions and retrieve all addresses within the system. This includes addresses associated with users belonging to groups the token should not have access to, effectively exposing PII. This vulnerability affects Craft CMS Pro versions 4.0.0 through 5.9.17 and presents a significant risk to data confidentiality, especially for organizations using GraphQL APIs for headless CMS deployments. The issue was identified through manual source code review with AI-assisted analysis.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker obtains a GraphQL API token with read access to at least one user group within Craft CMS.\u003c/li\u003e\n\u003cli\u003eAttacker introspects the GraphQL schema using a query to discover the available top-level queries, including \u003ccode\u003eaddresses\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAttacker queries the \u003ccode\u003eAddressInterface\u003c/code\u003e to identify exposed fields, such as \u003ccode\u003efullName\u003c/code\u003e, \u003ccode\u003eaddressLine1\u003c/code\u003e, \u003ccode\u003eorganization\u003c/code\u003e, and \u003ccode\u003eorganizationTaxId\u003c/code\u003e, revealing potential PII.\u003c/li\u003e\n\u003cli\u003eAttacker makes a baseline query to the GraphQL API using the token to confirm the token\u0026rsquo;s user scope is limited. This confirms the token only has access to a specific user group.\u003c/li\u003e\n\u003cli\u003eAttacker issues a query to retrieve all addresses using the GraphQL API, bypassing intended scope restrictions.\u003c/li\u003e\n\u003cli\u003eThe API returns address data for ALL user groups, including those outside the token\u0026rsquo;s authorized scope, exposing PII of users in restricted groups.\u003c/li\u003e\n\u003cli\u003eAttacker leverages the \u003ccode\u003eownerId\u003c/code\u003e argument to perform an IDOR attack, targeting specific users\u0026rsquo; addresses by their IDs without proper authorization.\u003c/li\u003e\n\u003cli\u003eAttacker extracts sensitive address information, including corporate tax IDs, for internal users they should not have access to, completing the data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe vulnerability allows an attacker with minimal permissions to extract sensitive PII, including full names, home addresses, organizations, and tax IDs. This poses a direct threat to user data privacy and organizational security. All Craft CMS Pro sites (v4.0.0+) that use GraphQL API tokens with user group scoping and store user addresses are potentially affected. The targeted extraction via IDOR can lead to reconnaissance against high-value users like administrators. If successful, the attacker can gain unauthorized access to confidential information, leading to potential financial loss, reputational damage, and legal repercussions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Craft CMS to versions 5.9.18 or 4.17.12 or later to patch CVE-2026-44010.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect CraftCMS GraphQL Address Resolver Unauthorized Access\u003c/code\u003e to your SIEM to detect exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict the permissions of GraphQL API tokens to follow the principle of least privilege, minimizing the potential impact of unauthorized access.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for unusual GraphQL queries targeting the \u003ccode\u003eaddresses\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T17:49:17Z","date_published":"2026-05-06T17:49:17Z","id":"/briefs/2026-05-craftcms-graphql-disclosure/","summary":"A missing authorization check in the GraphQL Address element resolver of Craft CMS Pro allows a GraphQL API token scoped to a low-privilege user group to read all addresses in the system, including those belonging to users in groups the token is not authorized to access, exposing personally identifiable information (PII).","title":"Craft CMS GraphQL Address Resolver Missing Authorization Allows PII Disclosure","url":"https://feed.craftedsignal.io/briefs/2026-05-craftcms-graphql-disclosure/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["cms (\u003c 4.17.12)","cms (\u003c 5.9.18)"],"_cs_severities":["high"],"_cs_tags":["craft-cms","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eCraft CMS versions before 4.17.12 and 5.9.18 are vulnerable to authenticated remote code execution. The vulnerability stems from an input-handling flaw in a Yii object creation path, allowing any authenticated user to inject malicious configuration and execute arbitrary commands on the server. This is achieved by exploiting the dynamic object configuration feature of Yii, which Craft CMS utilizes to build parts of itself from a settings list. This vulnerability is related to a previously disclosed issue (GHSA-255j-qw47-wjh5) but utilizes a different, unmitigated path. The attack exploits the condition field layouts data conversion to a live FieldLayout object without proper sanitization.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated user logs into the Craft CMS admin panel.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request to \u003ccode\u003e/admin/actions/element-search/search\u003c/code\u003e with a JSON payload.\u003c/li\u003e\n\u003cli\u003eThe JSON payload contains a \u003ccode\u003econdition\u003c/code\u003e parameter with a nested \u003ccode\u003efieldLayouts\u003c/code\u003e array.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003efieldLayouts\u003c/code\u003e array, the attacker injects a \u003ccode\u003eyii\\\\behaviors\\\\AttributeTypecastBehavior\u003c/code\u003e object with a \u003ccode\u003e__construct()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e__construct()\u003c/code\u003e method contains the malicious configuration, including \u003ccode\u003eattributeTypes\u003c/code\u003e and \u003ccode\u003etypecastBeforeSave\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003etypecastBeforeSave\u003c/code\u003e parameter is configured to execute a shell command (e.g., using \u003ccode\u003e/bin/bash -c\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe server-side application processes the request and attempts to create a FieldLayout object from the provided configuration data.\u003c/li\u003e\n\u003cli\u003eDue to the lack of sanitization, the malicious configuration is injected during object creation, leading to the execution of the attacker-controlled command.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows an attacker to execute arbitrary commands on the server with the privileges of the web server user. This can lead to complete compromise of the Craft CMS instance, including data theft, modification, or deletion. An attacker could also pivot to other systems on the network from the compromised server. There is no specific victim count or sector targeted mentioned, but any Craft CMS instance using a vulnerable version is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Craft CMS to version 4.17.12 or 5.9.18 or later to patch the vulnerability (Affected products).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Craft CMS RCE Attempt via Element Search\u003c/code\u003e to identify exploitation attempts in web server logs (rules).\u003c/li\u003e\n\u003cli\u003eMonitor POST requests to \u003ccode\u003e/admin/actions/element-search/search\u003c/code\u003e for suspicious JSON payloads, particularly those containing \u003ccode\u003eyii\\\\behaviors\\\\AttributeTypecastBehavior\u003c/code\u003e (Attack Chain).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-craft-cms-rce/","summary":"Craft CMS versions before 4.17.12 and 5.9.18 are vulnerable to authenticated remote code execution via malicious behavior injection in the field layout hydration path.","title":"Craft CMS Authenticated Remote Code Execution via Malicious Attached Behavior","url":"https://feed.craftedsignal.io/briefs/2024-01-craft-cms-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Craft CMS","version":"https://jsonfeed.org/version/1.1"}