VYPR
High severityNVD Advisory· Published Mar 16, 2026· Updated Mar 18, 2026

Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

CVE-2026-32267

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 4.0.0-RC1, < 4.17.64.17.6
craftcms/cmsPackagist
>= 5.0.0-RC1, < 5.9.125.9.12

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.