CVE-2026-32267

moderate-risk
Published 2026-03-16

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 0a650c4f4080bc6c44e9f1a6d0cdf536a15a51c8, b38439ac3815a0a56c9f4cca34db5ddb1ce15dca
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (7)

Affected Vendors

Craftcms

References (3)

Patch https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33
Exploit https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf
Exploit https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf
46
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 0/34 · Minimal
Exposure 14/34 · Moderate