CVE-2026-28696

Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.17.0-beta.1 and versions prior to 5.9.0-beta.1

Description Craft is a content management system (CMS) that contains a flaw in the GraphQL directive @parseRefs. This directive, designed to parse internal reference tags, can be exploited by both authenticated users and unauthenticated guests (when a Public Schema is enabled) to access sensitive attributes of any element within the CMS. The Elements::parseRefs implementation lacks authorization checks, allowing attackers to read data they are not permitted to view. The vulnerability allows access to sensitive attributes through reference tags like {user:1:email}. Attack vectors include privilege escalation, user data leakage, arbitrary property reflection, server-side logic execution, and IDOR on private entries and assets. The @parseRefs directive is active in the Public Schema, enabling unauthenticated exploitation. Exploitation can occur through API endpoints, such as the GraphQL API endpoint /index.php?action=graphql/api, using payloads in queries. The vulnerable function is Elements::parseRefs. The vulnerability can lead to critical information disclosure, system information leakage, and potential authentication bypass.

Recommendations Versions prior to 4.17.0-beta.1: Modify Elements::parseRefs to enforce canView permissions on the resolved element before extracting attributes. Versions prior to 5.9.0-beta.1: Modify Elements::parseRefs to enforce canView permissions on the resolved element before extracting attributes.