CVE-2026-32267
published 2026-03-16CVE-2026-32267: Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
7.73%
93.9th percentile
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 4.0.0-RC1 < 4.17.6 | 4.17.6 |
| craftcms | cms | >= 5.0.0-RC1 < 5.9.12 | 5.9.12 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 4.0.0.1 < 4.17.6 | 4.17.6 |
| craftcms | craft_cms | >= 5.0.1 < 5.9.12 | 5.9.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for abuse of the UsersController->actionImpersonateWithToken endpoint, which allows privilege escalation to admin by low-privilege or unauthenticated users who have been sent a shared URL. ↗
- ·Affected versions are Craft CMS 4.0.0-RC1 to before 4.17.6 and 5.0.0-RC1 to before 5.9.12. Patched versions are 4.17.6 and 5.9.12. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.7HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
osv·2026-03-16
CVE-2026-32267 [HIGH] Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
### Summary
A low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing `UsersController->actionImpersonateWithToken`.
Affected users should update to Craft 4.17.6 and 5.9.12 to mitigate the issue.
### Details
This vulnerability allows any low-privilege user to escalate their privileges and become an admin, or, in extreme circumstances, unprivileged users to do the same.
Therefore, this vulnerability affects Craft Pro and Team more than Craft Solo.
Specifically, an attacker who possesses a valid “preview token” can then append `&action=users/impersonate-with-token&userId=1&prevUserId=1` to the preview URL to hi
GHSA
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
ghsa·2026-03-16
CVE-2026-32267 [HIGH] CWE-863 Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()
### Summary
A low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing `UsersController->actionImpersonateWithToken`.
Affected users should update to Craft 4.17.6 and 5.9.12 to mitigate the issue.
### Details
This vulnerability allows any low-privilege user to escalate their privileges and become an admin, or, in extreme circumstances, unprivileged users to do the same.
Therefore, this vulnerability affects Craft Pro and Team more than Craft Solo.
Specifically, an attacker who possesses a valid “preview token” can then append `&action=users/impersonate-with-token&userId=1&prevUserId=1` to the preview URL to hi
No detection rules found.
No public exploits indexed.
2026-03-16
Published