CVE-2026-29069

Name of the Vulnerable Software and Affected Versions Craft CMS versions prior to 5.9.0-beta.2 and versions prior to 4.17.0-beta.2

Description Craft is a content management system. The actionSendActivationEmail() endpoint is accessible to unauthenticated users and lacks permission checks for pending users. An attacker can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. The issue stems from the endpoint accepting arbitrary userId parameters without verifying ownership. Attack scenarios include targeted account takeover, user ID brute-force enumeration, leveraging GraphQL for user information, and potential email spam or harassment. The userId parameter is retrieved using the getRequiredBodyParam() function.

Recommendations Update to Craft CMS version 5.9.0-beta.2 or later. Update to Craft CMS version 4.17.0-beta.2 or later.