CVE-2026-29069
published 2026-03-04CVE-2026-29069: Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.27%
19.0th percentile
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.17.0-beta.2 | 4.17.0-beta.2 |
| craftcms | cms | >= 5.0.0-RC1 < 5.9.0-beta.2 | 5.9.0-beta.2 |
| craftcms | craft_cms | < 4.17.0 | 4.17.0 |
| craftcms | craft_cms | < 5.9.0 | 5.9.0 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Craft CMS has unauthenticated activation email trigger with potential user enumeration
ghsa·2026-03-04
CVE-2026-29069 [HIGH] CWE-287 Craft CMS has unauthenticated activation email trigger with potential user enumeration
Craft CMS has unauthenticated activation email trigger with potential user enumeration
The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.
The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.
Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter,
OSV
Craft CMS has unauthenticated activation email trigger with potential user enumeration
osv·2026-03-04
CVE-2026-29069 [HIGH] Craft CMS has unauthenticated activation email trigger with potential user enumeration
Craft CMS has unauthenticated activation email trigger with potential user enumeration
The `actionSendActivationEmail()` endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.
The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary `userId` parameters without verifying ownership.
Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter,
No detection rules found.
No public exploits indexed.
2026-03-04
Published