Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
Guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication.
Details
ConfigSyncController extends BaseUpdaterController, and the base updater is anonymously accessible for control panel requests. index emits signed updater state (data), which can be reused by guests in subsequent requests.
Sensitive actions that are reachable via this method are actionApplyYamlChanges, actionRegenerateYaml, applyExternalChanges, and regenerateExternalConfig.
Reproduction steps
- Guest POST to:
http POST /admin/actions/config-sync/index
- Extract data from returned JS state:
Craft.updater = ... setState({"data":"<signedData>", ...});
- Reuse data as a guest:
POST /admin/actions/config-sync/regenerate-yaml
data=<signedData>&<csrfParam>=<csrfToken>or
POST /admin/actions/config-sync/apply-yaml-changes
data=<signedData>&<csrfParam>=<csrfToken>- Observe completed response and state/file changes.
Impact
Unauthenticated users can execute project configuration sync operations that should be restricted to trusted admin/deployment contexts.
Depending on the pending YAML/config state, this can cause unauthorized config state transitions and a service integrity risk.
Resources
https://github.com/craftcms/cms/commit/7f0ead833f7
AnalysisAI
Unauthenticated guests can access Config Sync updater endpoints to retrieve signed state data and execute privileged state-changing actions such as YAML regeneration and application without authentication. This vulnerability in ConfigSyncController stems from insufficient access controls on the base updater interface, allowing attackers to reuse captured signed data in subsequent requests to modify system configuration. A patch is available to address this authentication bypass.
Technical ContextAI
Craft CMS (pkg:composer/craftcms_cms) implements a Config Sync feature through the ConfigSyncController class, which extends BaseUpdaterController. The vulnerability stems from a failure to enforce authentication on the index action (CWE-306: Missing Authentication for Critical Function). The BaseUpdaterController is designed to be anonymously accessible for control panel state requests, but it improperly emits signed updater state data that is cryptographically valid across subsequent requests. An attacker can extract this signed data from the initial unauthenticated response and replay it in follow-up POST requests to sensitive actions (actionApplyYamlChanges, actionRegenerateYaml, applyExternalChanges, regenerateExternalConfig) to execute configuration state transitions without possessing valid admin credentials.
RemediationAI
Immediately upgrade Craft CMS to version 4.17.8 or later for the 4.x branch, or version 5.9.14 or later for the 5.x branch. The patch is available via the official GitHub repository at https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592. Update instructions can be found in the official security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w and in the corresponding release notes (https://github.com/craftcms/cms/releases/tag/4.17.8 and https://github.com/craftcms/cms/releases/tag/5.9.14). As a temporary mitigation prior to patching, restrict network access to the /admin/actions/config-sync/* endpoints to trusted internal IP ranges and implement reverse-proxy authentication; however, upgrading is strongly recommended and should not be delayed.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14938
GHSA-6mrr-q3pj-h53w