SB2026061670 - Multiple vulnerabilities in Craft CMS
Published: June 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Input validation error (CVE-ID: CVE-2026-44011)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary commands on the server.
The vulnerability exists due to improper input validation in the Yii object creation path for FieldLayout hydration when handling crafted POST requests with request-controlled condition field layout data. A remote user can inject malicious configuration through a specially crafted request to execute arbitrary commands on the server.
The issue can be triggered from authenticated requests to element index actions that pass through the same beforeAction() path.
2) Missing Authorization (CVE-ID: CVE-2026-44010)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the GraphQL Address element resolver when handling top-level GraphQL queries. A remote user can send a crafted GraphQL query with a scoped API token to disclose sensitive information.
The issue exposes address records across user groups outside the token's authorized schema scope, including personally identifiable information such as names, addresses, organizations, and tax IDs. The ownerId argument can also be used for targeted extraction of specific users' address data.
3) Missing Authorization (CVE-ID: CVE-2026-44012)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in AssetsController::actionShowInFolder() when handling control panel requests for asset IDs. A remote user can supply an arbitrary asset ID to disclose sensitive information.
The issue exposes asset filenames and complete folder hierarchy details, including volume handles, volume UIDs, folder names, folder UIDs, and folder URI paths.
Remediation
Install update from vendor's website.
References
- https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw
- https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
- https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
- https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
- https://github.com/craftcms/cms/security/advisories/GHSA-33m5-hqp9-97pw
- https://github.com/craftcms/cms/commit/e3f3eaab3d85badd713cfc2c24e5f0792ecdb586