CVE-2026-29069Authorization Bypass Through User-Controlled Key in Craft CMS

CWE-639Authorization Bypass Through User-Controlled KeyCWE-287Improper Authentication5 documents5 sources
Severity
6.9MEDIUMNVD
EPSS
0.1%
top 83.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMar 4

Description

Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed i

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.9.0-beta.2+1
NVDcraftcms/craft_cms< 4.17.0+5
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.0-beta.2, >= 5.0.0-RC1, < 5.9.0-beta.2+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Craft has an unauthenticated activation email trigger with potential user enumeration2026-03-04
GHSA
Craft CMS has unauthenticated activation email trigger with potential user enumeration2026-03-04
OSV
Craft CMS has unauthenticated activation email trigger with potential user enumeration2026-03-04

🕵️Threat Intelligence

1
Wiz
CVE-2026-29069 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-29069 — Craftcms Craft CMS vulnerability | cvebase