CVE-2026-44010

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.0.0 through 4.17.11 Craft CMS versions 5.0.0 through 5.9.17

Description The GraphQL Address element resolver in src/gql/resolvers/elements/Address.php fails to perform schema scope filtering on top-level queries. While other element resolvers use GqlHelper::extractAllowedEntitiesFromSchema() to enforce boundaries, the Address resolver only utilizes a binary check via the canQueryUsers() function. If a GraphQL API token has access to any single user group, it can bypass authorization to read every address in the system, including those belonging to users in restricted groups. This allows for the exposure of personally identifiable information (PII) such as full names, addresses, organizations, and tax IDs. Additionally, the ownerId variable in the addresses query can be used to extract specific users' addresses regardless of the token's scope.

Recommendations Update Craft CMS to version 4.17.12. Update Craft CMS to version 5.9.18.