Missing Authorization in Craft CMS - CVE-2026-44010
Published: June 16, 2026
Vulnerability identifier: #VU134671
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-44010
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Pixel & Tonic, Inc.
Affected software:
Craft CMS
Craft CMS
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in the GraphQL Address element resolver when handling top-level GraphQL queries. A remote user can send a crafted GraphQL query with a scoped API token to disclose sensitive information.
The issue exposes address records across user groups outside the token's authorized schema scope, including personally identifiable information such as names, addresses, organizations, and tax IDs. The ownerId argument can also be used for targeted extraction of specific users' address data.
How to mitigate CVE-2026-44010
Install security update from vendor's website.