CVE-2026-33159

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.7 Craft CMS versions 5.0.0-RC1 through 5.9.13

Description Craft CMS is a content management system. Guest users can access the Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. The ConfigSyncController extends BaseUpdaterController, and the base updater is anonymously accessible for control panel requests. The index endpoint emits signed updater state (data), which can be reused by guests in subsequent requests. Sensitive actions reachable through this method include actionApplyYamlChanges, actionRegenerateYaml, applyExternalChanges, and regenerateExternalConfig. An attacker can send a POST request to /admin/actions/config-sync/index to extract the signed data, then reuse it in subsequent requests to endpoints like /admin/actions/config-sync/regenerate-yaml or /admin/actions/config-sync/apply-yaml-changes, potentially causing unauthorized configuration state transitions and a service integrity risk.

Recommendations Craft CMS versions 4.0.0-RC1 through 4.17.7 should be updated to version 4.17.8 or later. Craft CMS versions 5.0.0-RC1 through 5.9.13 should be updated to version 5.9.14 or later.