PT-2026-24638 — Craftcms/Cms

PT-2026-24638 · Packagist · Craftcms/Cms

Published

2026-03-10

Updated

2026-03-10

CVSS v4.0

2.3

Low

Vector

AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Summary

Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken.

Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.

That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.

Preconditions

Victim is logged in to Craft control panel.
Victim has active preview authorization in session for target content (e.g., opened/edited an entry).
The attacker must know the target’s canonicalId and public URL path of that entry.

1) Attacker prepares a fixed token

Use any 32-character value, for example:

aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

2) CSRF victim into minting that token

Send the victim a link (or top-level redirect) such as:

https://TARGET/actions/preview/create-token?elementType=craft%5Celements%5CEntry&canonicalId=123&siteId=1&previewToken=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&redirect=https%3A%2F%2FTARGET%2F

If the victim is logged in and authorized for previewElement:123, Craft creates that exact token.

3) Attacker accesses preview content unauthenticated

curl -i 'https://TARGET/news/known-entry-slug?token=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'

Expected vulnerable behavior:

Response renders preview/unpublished state (draft/provisional context), not just normal public content.

Impact

CSRF-based minting of attacker-known preview tokens.
Unauthorized access to draft/provisional/revision content via token replay.
Stealthy one-click exploitation against logged-in editors/admins.
No dependency on forwarded-host poisoning.

Fix

Improper Authentication

CSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287CWE-352

Related Identifiers

GHSA-VG3J-HPM9-8V5V

Affected Products

Craftcms/Cms