CVE-2026-32267

CRITICAL WAF: Low

CVSS 9.8 Published: 2026-03-16

CWE-863

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

WAF Coverage Analysis

Incorrect Authorization Low WAF Coverage

OWASP: A01:2021 Broken Access Control

Affected Software

Vendor	Product	Version
craftcms	craft_cms	4.0.0.1 - 4.17.6
craftcms	craft_cms	5.0.1 - 5.9.12
craftcms	craft_cms	4.0.0
craftcms	craft_cms	4.0.0
craftcms	craft_cms	4.0.0
craftcms	craft_cms	4.0.0
craftcms	craft_cms	5.0.0
craftcms	craft_cms	5.0.0

References

github.com (Patch)
github.com (Exploit, Patch, Vendor Advisory)

Back to CVE Database