Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.9
Craft CMS Token Exploit: Unauthorized Multiple Uses
CVE-2026-27128
GHSA-6fx5-5cw5-4897
Summary
A vulnerability in Craft CMS allows an attacker to use a single-use token multiple times, potentially gaining unauthorized access to a user account with higher permissions. This can happen with a valid impersonation URL and concurrent requests. To protect your site, ensure you're using the latest version of Craft CMS and consider implementing additional security measures, such as rate limiting and monitoring for unusual login activity.
What to do
- Update craftcms cms to version 4.16.19.
- Update craftcms cms to version 5.8.23.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| craftcms | cms | > 4.5.0-RC1 , <= 4.16.18 | 4.16.19 |
| craftcms | cms | > 5.0.0-RC1 , <= 5.8.22 | 5.8.23 |
| craftcms | craft_cms | > 4.5.0 , <= 4.16.19 | – |
| craftcms | craft_cms | > 5.0.0 , <= 5.8.23 | – |
| craftcms | craft_cms | 4.5.0 | – |
| craftcms | craft_cms | 4.5.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
| craftcms | craft_cms | 5.0.0 | – |
Original title
Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit
Original description
A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.
To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.
For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.
## References
https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf
To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.
For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.
## References
https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf
nvd CVSS3.1
4.8
nvd CVSS4.0
6.9
Vulnerability type
CWE-367
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026