CVE-2026-27128
published 2026-02-24CVE-2026-27128: Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race…
PriorityP425medium4.8CVSS 3.1
AVNACLPRHUIRSCCLILAN
EPSS
0.18%
7.3th percentile
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.5.0-RC1 < 4.16.19 | 4.16.19 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.23 | 5.8.23 |
| craftcms | craft_cms | < 4.16.19 | 4.16.19 |
| craftcms | craft_cms | < 5.8.23 | 5.8.23 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
CVSS provenance
nvdv3.14.8MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
osv·2026-02-23
CVE-2026-27128 [MEDIUM] Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.
To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.
For this to be a privilege escalation, the imp
GHSA
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
ghsa·2026-02-23
CVE-2026-27128 [MEDIUM] CWE-367 Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.
To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.
For this to be a privilege escalation, the imp
No detection rules found.
No public exploits indexed.
2026-02-24
Published