Main Vulnerability Database Vulnerabilities #VU134657

Authorization bypass through user-controlled key in Craft CMS - CVE-2026-29069

Published: June 16, 2026

Vulnerability identifier: #VU134657

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-29069

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Pixel & Tonic, Inc.

Affected software:
Craft CMS

Detailed vulnerability description

The vulnerability allows a remote attacker to trigger activation emails for arbitrary pending user accounts and potentially gain access to the system.

The vulnerability exists due to improper access control in the actionSendActivationEmail() endpoint when handling user-supplied userId parameters for pending users. A remote attacker can send a specially crafted request with an arbitrary user ID to trigger activation emails for arbitrary pending user accounts and potentially gain access to the system.

If the attacker controls the target user's email address, the activation flow can be completed to access the account. The endpoint responses can also reveal whether a user ID exists and whether the account is pending or active.

How to mitigate CVE-2026-29069

Install security update from vendor's website.

Authorization bypass through user-controlled key in Craft CMS - CVE-2026-29069

Detailed vulnerability description

How to mitigate CVE-2026-29069

Sources

Please verify you're human