{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27128", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.043Z", "datePublished": "2026-02-24T02:42:53.706Z", "dateUpdated": "2026-02-28T02:13:48.422Z"}, "containers": {"cna": {"title": "Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897"}, {"name": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.5.0-RC1, < 4.16.19", "status": "affected"}, {"version": ">= 5.0.0-RC1, < 5.8.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:42:53.706Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS\u2019s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token\u2019s usage count, checks if it\u2019s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue."}], "source": {"advisory": "GHSA-6fx5-5cw5-4897", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-28T02:13:24.368912Z", "id": "CVE-2026-27128", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:13:48.422Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27128", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-28T02:13:24.368912Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:13:42.868Z"}}], "cna": {"title": "Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit", "source": {"advisory": "GHSA-6fx5-5cw5-4897", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.5.0-RC1, < 4.16.19"}, {"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.23"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf", "name": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS\u2019s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token\u2019s usage count, checks if it\u2019s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:42:53.706Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27128", "state": "PUBLISHED", "dateUpdated": "2026-02-28T02:13:48.422Z", "dateReserved": "2026-02-17T18:42:27.043Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T02:42:53.706Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "FF425F3E-1E6A-4EE8-A1F8-9FA5399DE8DD", "versionEndExcluding": "4.16.19", "versionStartExcluding": "4.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A9572A70-5447-4861-9EC3-E51C5A7A9C56", "versionEndExcluding": "5.8.23", "versionStartExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "48EC469C-4A9C-40A5-AD71-386D47255223", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "25BADF46-CF5B-448C-BE38-D297D7512534", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS\u2019s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token\u2019s usage count, checks if it\u2019s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenidos (CMS). En las versiones 4.5.0-RC1 a 4.16.18 y 5.0.0-RC1 a 5.8.22, existe una condici\u00f3n de carrera Time-of-Check-Time-of-Use (TOCTOU) en el servicio de validaci\u00f3n de tokens de Craft CMS para tokens que establecen expl\u00edcitamente un uso limitado. El m\u00e9todo `getTokenRoute()` lee el recuento de uso de un token, verifica si est\u00e1 dentro de los l\u00edmites y luego actualiza la base de datos en operaciones no at\u00f3micas separadas. Al enviar solicitudes concurrentes, un atacante puede usar un token de suplantaci\u00f3n de un solo uso varias veces antes de que se complete la actualizaci\u00f3n de la base de datos. Para que esto funcione, un atacante necesita obtener una URL de suplantaci\u00f3n de cuenta de usuario v\u00e1lida con un token no caducado por otros medios y explotar una condici\u00f3n de carrera mientras elude cualquier regla de limitaci\u00f3n de velocidad existente. Para que esto sea una escalada de privilegios, la URL de suplantaci\u00f3n debe incluir un token para una cuenta de usuario con m\u00e1s permisos que el usuario actual. Las versiones 4.16.19 y 5.8.23 aplican un parche al problema."}], "id": "CVE-2026-27128", "lastModified": "2026-02-27T20:06:52.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.7, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T03:16:02.623", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0-RC1,4.16.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.8.23)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-17T15:53:18.233227+00:00", "value": {"mitigation_remediation": ["Upgrade to the latest patched Craft CMS release (4.16.19 or 5.8.23, or later).", "If an upgrade is not immediately possible, restrict or disable the creation of limited\u2011usage impersonation tokens and apply strict rate limiting on token usage endpoints.", "Monitor application logs for repeated usage of the same token and block IPs or sessions exhibiting suspicious patterns."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Token Reuse"}, "threat_synthesis": {"affected_systems": "Vulnerable Craft CMS releases include version 4.5.0\u2011RC1 through 4.16.18 and 5.0.0\u2011RC1 through 5.8.22. The secure releases that fix the race condition are Craft CMS 4.16.19 and 5.8.23. Organisations using any of these versions should verify whether their deployment is affected.", "description_and_impact": "Craft CMS contains a Time\u2011of\u2011Check Time\u2011of\u2011Use race condition in its token validation service. The code reads a token\u2019s usage count, verifies it is within allowed limits, and then updates the database in separate non\u2011atomic operations. An attacker can issue multiple concurrent requests using the same limited\u2011usage token before the usage count is incremented, allowing the token to be used more times than intended. If the token belongs to a user with higher privileges than the current user, this can elevate the attacker\u2019s access level. The weakness matches CWE\u2011367.", "risk_and_exploitability": "The CVSS base score is 6.9, indicating a moderate severity. The EPSS score is below 1\u202f%, implying a low probability of exploitation at any given time. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an existing, valid impersonation URL with a non\u2011expired token for a target user, as well as the ability to send concurrent requests and bypass any rate\u2011limiting controls. Once those conditions are met, the race condition can be triggered to gain elevated privileges."}}}}, "created": "2026-02-24T09:53:10.612272+00:00", "updated": "2026-04-17T16:00:11.378573+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}