Skip to main content

CVE-2026-33159

| EUVDEUVD-2026-14938 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-03-24 https://github.com/craftcms/cms GHSA-6mrr-q3pj-h53w
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:00 euvd
EUVD-2026-14938
Analysis Generated
Mar 24, 2026 - 17:00 vuln.today
Patch released
Mar 24, 2026 - 17:00 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:57 nvd
MEDIUM 6.9

DescriptionGitHub Advisory

Summary

Guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication.

Details

ConfigSyncController extends BaseUpdaterController, and the base updater is anonymously accessible for control panel requests. index emits signed updater state (data), which can be reused by guests in subsequent requests.

Sensitive actions that are reachable via this method are actionApplyYamlChanges, actionRegenerateYaml, applyExternalChanges, and regenerateExternalConfig.

Reproduction steps
  1. Guest POST to:

http POST /admin/actions/config-sync/index

  1. Extract data from returned JS state:

Craft.updater = ... setState({"data":"<signedData>", ...});

  1. Reuse data as a guest:
  POST /admin/actions/config-sync/regenerate-yaml
  data=<signedData>&<csrfParam>=<csrfToken>

or

  POST /admin/actions/config-sync/apply-yaml-changes
  data=<signedData>&<csrfParam>=<csrfToken>
  1. Observe completed response and state/file changes.

Impact

Unauthenticated users can execute project configuration sync operations that should be restricted to trusted admin/deployment contexts.

Depending on the pending YAML/config state, this can cause unauthorized config state transitions and a service integrity risk.

Resources

https://github.com/craftcms/cms/commit/7f0ead833f7

AnalysisAI

Unauthenticated guests can access Config Sync updater endpoints to retrieve signed state data and execute privileged state-changing actions such as YAML regeneration and application without authentication. This vulnerability in ConfigSyncController stems from insufficient access controls on the base updater interface, allowing attackers to reuse captured signed data in subsequent requests to modify system configuration. A patch is available to address this authentication bypass.

Technical ContextAI

Craft CMS (pkg:composer/craftcms_cms) implements a Config Sync feature through the ConfigSyncController class, which extends BaseUpdaterController. The vulnerability stems from a failure to enforce authentication on the index action (CWE-306: Missing Authentication for Critical Function). The BaseUpdaterController is designed to be anonymously accessible for control panel state requests, but it improperly emits signed updater state data that is cryptographically valid across subsequent requests. An attacker can extract this signed data from the initial unauthenticated response and replay it in follow-up POST requests to sensitive actions (actionApplyYamlChanges, actionRegenerateYaml, applyExternalChanges, regenerateExternalConfig) to execute configuration state transitions without possessing valid admin credentials.

RemediationAI

Immediately upgrade Craft CMS to version 4.17.8 or later for the 4.x branch, or version 5.9.14 or later for the 5.x branch. The patch is available via the official GitHub repository at https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592. Update instructions can be found in the official security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w and in the corresponding release notes (https://github.com/craftcms/cms/releases/tag/4.17.8 and https://github.com/craftcms/cms/releases/tag/5.9.14). As a temporary mitigation prior to patching, restrict network access to the /admin/actions/config-sync/* endpoints to trusted internal IP ranges and implement reverse-proxy authentication; however, upgrading is strongly recommended and should not be delayed.

Share

CVE-2026-33159 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy