CVE-2026-32267 PUBLISHED

Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

Assigner: GitHub_M
Reserved: 11.03.2026 Published: 16.03.2026 Updated: 17.03.2026

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.7

Product Status

Vendor craftcms
Product cms
Versions
  • Version >= 4.0.0-RC1, < 4.17.6 is affected
  • Version >= 5.0.0-RC1, < 5.9.12 is affected

References

Problem Types

  • CWE-863: Incorrect Authorization CWE