Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
2.3

Craft CMS: Attackers can access sensitive content

GHSA-vg3j-hpm9-8v5v CVE-2026-29113 GHSA-vg3j-hpm9-8v5v
Summary

A security issue in Craft CMS allows attackers to view sensitive content without logging in. This happens when an attacker tricks a logged-in user into creating a special token, which can then be used to access content that's not publicly visible. To fix this, update to Craft CMS version 4.17.4 or 5.9.7.

What to do
  • Update craftcms cms to version 4.17.4.
  • Update craftcms cms to version 5.9.7.
  • Update craftcms craftcms/cms to version 4.17.4.
  • Update craftcms craftcms/cms to version 5.9.7.
Affected software
VendorProductAffected versionsFix available
craftcms cms > 4.0.0-RC1 , <= 4.17.3 4.17.4
craftcms cms > 5.0.0-RC1 , <= 5.9.6 5.9.7
craftcms craftcms/cms > 4.0.0-RC1 , <= 4.17.4 4.17.4
craftcms craftcms/cms > 5.0.0-RC1 , <= 5.9.7 5.9.7
craftcms craft_cms > 4.0.0 , <= 4.17.4
craftcms craft_cms > 5.0.0 , <= 5.9.7
Original title
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-su...
Original description
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.
Vulnerability type
CWE-287 Improper Authentication
CWE-352 Cross-Site Request Forgery (CSRF)
Published: 10 Mar 2026 · Updated: 13 Mar 2026 · First seen: 10 Mar 2026