CVE-2026-32267

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0-RC1 through 4.17.5 Craft CMS versions 5.0.0-RC1 through 5.9.11

Description Craft CMS contains a privilege escalation flaw via the UsersController->actionImpersonateWithToken function. A low-privilege user, or an unauthenticated user with access to a shared URL, can escalate their privileges to administrator level. This is achieved by abusing the impersonation functionality through a token-based bypass. The issue allows an attacker with a valid "preview token" to hijack requests into the impersonation endpoint, logging in as any user, including administrators, without authentication. Approximately 105,000 instances of Craft CMS are exposed globally. The vulnerability allows full admin takeover. The root cause is a bypass of security guards in the actionPreview() function, combined with insufficient verification of the token intended for the impersonation action. The vulnerability is exploitable by appending a crafted string to a preview URL.

Recommendations Craft CMS versions 4.0.0-RC1 through 4.17.5 should be updated to version 4.17.6. Craft CMS versions 5.0.0-RC1 through 5.9.11 should be updated to version 5.9.12.