CVE-2026-31266
Description
Craft CMS 5.9.5 and earlier contains a Missing Authorization vulnerability in the migrate endpoint (/actions/app/migrate).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS 5.9.5 and earlier has a missing authorization vulnerability in the migrate endpoint allowing unauthenticated database manipulation.
Vulnerability
Craft CMS versions 5.9.5 and earlier contain a Missing Authorization vulnerability (CWE-862) in the migrate endpoint (/actions/app/migrate). The AppController at src/controllers/AppController.php lines 65-68 sets $allowAnonymous to include the migrate action for both live and offline modes, allowing unauthenticated access to the migration functionality [2].
Exploitation
An unauthenticated attacker can trigger the migration by sending a POST request to http://target/actions/app/migrate. The PoC demonstrates that even with allowAdminChanges=false, the request succeeds, leading to database changes [2].
Impact
Successful exploitation can cause the migration to execute, which may drop or alter database tables. In the PoC, the sessions table was dropped, resulting in data loss and potential service disruption [2]. The attacker gains the ability to affect the database without authentication, leading to a significant integrity and availability impact.
Mitigation
As of the publication date, no official patch has been released for CVE-2026-31266. Administrators should restrict network access to the /actions/app/migrate endpoint or implement additional authentication checks. The vendor has not yet disclosed a workaround. Monitoring the vendor's repository [1] for updates is advised.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
1558372701d78Finish 5.9.6
2 files changed · +2 −2
CHANGELOG.md+1 −1 modified@@ -1,6 +1,6 @@ # Release Notes for Craft CMS 5 -## Unreleased +## 5.9.6 - 2026-02-03 - It’s now possible to set elements’ Thumbnail Source to a field nested within a Content Block field. ([#18365](https://github.com/craftcms/cms/issues/18365)) - Elements within embedded element indexes are now hyperlinked by default. ([#17080](https://github.com/craftcms/cms/discussions/17080))
src/config/app.php+1 −1 modified@@ -3,7 +3,7 @@ return [ 'id' => 'CraftCMS', 'name' => 'Craft CMS', - 'version' => '5.9.5', + 'version' => '5.9.6', 'schemaVersion' => '5.9.0.8', 'minVersionRequired' => '4.5.0', 'basePath' => dirname(__DIR__), // Defines the @app alias
Vulnerability mechanics
Root cause
"Missing authorization check in AppController allows unauthenticated users to invoke the migrate endpoint."
Attack vector
An attacker sends a POST request to `/actions/app/migrate` without any authentication. The controller's `$allowAnonymous` property is set to `self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE` [ref_id=1], which permits unauthenticated access in both live and offline modes. This allows any remote attacker who can reach the Craft CMS instance to trigger the migration endpoint, potentially causing database schema changes or data loss [ref_id=1].
Affected code
File: `src/controllers/AppController.php`, lines 65-68. The `$allowAnonymous` property is set to `self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE` for the `migrate` action [ref_id=1].
What the fix does
The patch increments the version from 5.9.5 to 5.9.6 in `src/config/app.php` [patch_id=2691379]. The CHANGELOG entry for 5.9.6 does not explicitly describe a security fix [patch_id=2691379]. No code-level patch to the `AppController` or the `$allowAnonymous` property is shown in the provided diff, so the exact remediation applied to the vulnerable code path is not visible in the supplied patch bundle.
Preconditions
- authNo authentication required; the endpoint is configured to allow anonymous access
- networkAttacker must be able to send HTTP POST requests to the Craft CMS instance
- networkThe migrate endpoint must be reachable (no WAF or network-level blocking)
Reproduction
curl -X POST "http://target/actions/app/migrate"
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
News mentions
0No linked articles in our index yet.