SB2026061670 - Multiple vulnerabilities in Craft CMS



SB2026061670 - Multiple vulnerabilities in Craft CMS

Published: June 16, 2026

Security Bulletin ID SB2026061670
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Medium 33% Low 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Input validation error (CVE-ID: CVE-2026-44011)

CWE-ID: CWE-20 - Improper input validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary commands on the server.

The vulnerability exists due to improper input validation in the Yii object creation path for FieldLayout hydration when handling crafted POST requests with request-controlled condition field layout data. A remote user can inject malicious configuration through a specially crafted request to execute arbitrary commands on the server.

The issue can be triggered from authenticated requests to element index actions that pass through the same beforeAction() path.


2) Missing Authorization (CVE-ID: CVE-2026-44010)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the GraphQL Address element resolver when handling top-level GraphQL queries. A remote user can send a crafted GraphQL query with a scoped API token to disclose sensitive information.

The issue exposes address records across user groups outside the token's authorized schema scope, including personally identifiable information such as names, addresses, organizations, and tax IDs. The ownerId argument can also be used for targeted extraction of specific users' address data.


3) Missing Authorization (CVE-ID: CVE-2026-44012)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in AssetsController::actionShowInFolder() when handling control panel requests for asset IDs. A remote user can supply an arbitrary asset ID to disclose sensitive information.

The issue exposes asset filenames and complete folder hierarchy details, including volume handles, volume UIDs, folder names, folder UIDs, and folder URI paths.


Remediation

Install update from vendor's website.