{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32267", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-11T15:05:48.398Z", "datePublished": "2026-03-16T19:04:47.781Z", "dateUpdated": "2026-03-18T15:43:25.399Z"}, "containers": {"cna": {"title": "Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf"}, {"name": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.0.0-RC1, < 4.17.6", "status": "affected"}, {"version": ">= 5.0.0-RC1, < 5.9.12", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T15:23:37.408Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12."}], "source": {"advisory": "GHSA-cc7p-2j3x-x7xf", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T15:43:19.926352Z", "id": "CVE-2026-32267", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T15:43:25.399Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32267", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-18T15:43:19.926352Z"}}}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T14:20:56.913Z"}}], "cna": {"title": "Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()", "source": {"advisory": "GHSA-cc7p-2j3x-x7xf", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.0.0-RC1, < 4.17.6"}, {"status": "affected", "version": ">= 5.0.0-RC1, < 5.9.12"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "name": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-17T15:23:37.408Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32267", "state": "PUBLISHED", "dateUpdated": "2026-03-18T15:43:25.399Z", "dateReserved": "2026-03-11T15:05:48.398Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-16T19:04:47.781Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "0922971F-4611-451F-865F-A6E8D4159E93", "versionEndExcluding": "4.17.6", "versionStartIncluding": "4.0.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "5EC01156-366C-41ED-AAD2-22BBED25A0FB", "versionEndExcluding": "5.9.12", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12."}], "id": "CVE-2026-32267", "lastModified": "2026-03-17T17:44:31.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-16T20:16:19.480", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-RC1,4.17.6)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.9.12)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-03-17T18:24:02.507229+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Craft CMS to version 4.17.6 or later, or 5.9.12 or later.", "Verify the upgrade by confirming the current CMS version through the admin panel or a version query endpoint.", "If upgrading is not immediately feasible, restrict access to shared URLs, disable or restrict the impersonate endpoint via configuration, and monitor for unauthorized admin account creation."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "Affected Craft CMS releases include all versions from 4.0.0\u2011RC1 up to but not including 4.17.6, as well as from 5.0.0\u2011RC1 up to but not including 5.9.12. The patch is incorporated in 4.17.6 and 5.9.12 respectively.", "description_and_impact": "Craft CMS permits a low\u2011privilege or unauthenticated user who receives a shared URL to elevate their privileges to administrator by calling the UsersController->actionImpersonateWithToken() method. The vulnerability is an instance of arbitrary account impersonation (CWE\u2011863) that results in full administrative access without the need for valid credentials.", "risk_and_exploitability": "The CVSS score of 7.7 indicates a high impact, while the EPSS score of <1% suggests the likelihood of exploitation is low. The issue is not listed in CISA\u2019s KEV catalog. Attackers can exploit this remotely by providing a crafted link that targets the impersonate endpoint, requiring only low\u2011privilege or unauthenticated access to trigger the privilege escalation."}}}}, "created": "2026-03-17T09:52:16.558883+00:00", "updated": "2026-03-24T10:49:56.586859+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}