CVE-2026-27128

Name of the Vulnerable Software and Affected Versions Craft versions 4.5.0-RC1 through 4.16.18 Craft versions 5.0.0-RC1 through 5.8.22

Description Craft CMS contains a Time-of-Check-Time-of-Use (TOCTOU) race condition within its token validation service, specifically affecting tokens configured for limited usage. The getTokenRoute() method performs non-atomic operations, reading a token’s usage count, verifying its limits, and then updating the database. An attacker can exploit this by sending multiple concurrent requests, potentially reusing a single-use impersonation token before the database update is finalized. Successful exploitation requires obtaining a valid, non-expired impersonation URL and bypassing any rate-limiting mechanisms. If the impersonation URL grants access to an account with higher privileges than the current user, this could lead to privilege escalation.

Recommendations Craft versions 4.5.0-RC1 through 4.16.18 should be updated to version 4.16.19 or later. Craft versions 5.0.0-RC1 through 5.8.22 should be updated to version 5.8.23 or later.