CVE-2026-28696 — Authorization Bypass Through User-Controlled Key in Craft CMS

CWE-639 — Authorization Bypass Through User-Controlled Key CWE-862 — Missing Authorization5 documents5 sources

Severity

8.7HIGHNVD

EPSS

0.0%

top 93.86%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Craftcms Craft CMS Craftcms CMS

Timeline

PublishedMar 4

Description

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulne…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Packagistcraftcms/cms4.0.0-RC1 — 4.17.0-beta.1+1

▶NVDcraftcms/craft_cms< 4.17.0+3

▶CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.0-beta.1, >= 5.0.0-RC1, < 5.9.0-beta.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Craft affected by IDOR via GraphQL @parseRefs↗2026-03-04

▶

GHSA

Craft CMS has IDOR via GraphQL @parseRefs↗2026-03-03

▶

OSV

Craft CMS has IDOR via GraphQL @parseRefs↗2026-03-03

▶

🕵️Threat Intelligence

Wiz

CVE-2026-28696 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶