VYPR
Get started
← All advisories
High severity7.1GHSA Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-44010

CVE-2026-44010

Description

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.

Affected products

1

Patches

1
834b2cf61ad0

Fixed GHSA-gj2p-p9m4-c8gw

https://github.com/craftcms/cmsbrandonkellyMar 26, 2026via ghsa
commit
2 files changed · +28 0
  • CHANGELOG.md+1 0 modified
    @@ -4,6 +4,7 @@
 
 - Fixed a bug where GraphQL results were getting cached even if they contained transform generation URLs. ([#18581](https://github.com/craftcms/cms/issues/18581))
 - Fixed a bug where `aria-activedescendant`, `aria-flowto`, and `aria-owns` attributes weren’t getting namespaced by `{% namespace %}` tags. ([#18577](https://github.com/craftcms/cms/issues/18577))
+- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) information disclosure vulnerability. (GHSA-gj2p-p9m4-c8gw)
 
 ## 4.17.11 - 2026-03-17
  • src/gql/resolvers/elements/Address.php+27 0 modified
    @@ -7,9 +7,13 @@
 
 namespace craft\gql\resolvers\elements;
 
+use Craft;
+use craft\db\Query;
+use craft\db\Table;
 use craft\elements\Address as AddressElement;
 use craft\elements\db\AddressQuery;
 use craft\elements\db\ElementQuery;
+use craft\elements\ElementCollection;
 use craft\gql\base\ElementResolver;
 use craft\helpers\Gql as GqlHelper;
 use Illuminate\Support\Collection;
@@ -31,6 +35,29 @@ public static function prepareQuery(mixed $source, array $arguments, ?string $fi
         // If this is the beginning of a resolver chain, start fresh
         if ($source === null) {
             $query = AddressElement::find();
+            $pairs = GqlHelper::extractAllowedEntitiesFromSchema('read');
+            $condition = [];
+
+            if (isset($pairs['usergroups'])) {
+                $userGroupsService = Craft::$app->getUserGroups();
+                $groupIds = array_filter(array_map(
+                    fn(string $uid) => $userGroupsService->getGroupByUid($uid)?->id,
+                    $pairs['usergroups'],
+                ));
+                if (!empty($groupIds)) {
+                    $condition[] = ['exists', (new Query())
+                        ->from(['ugu' => Table::USERGROUPS_USERS])
+                        ->where('[[ugu.userId]] = [[addresses.ownerId]]')
+                        ->andWhere(['in', 'ugu.groupId', $groupIds]),
+                    ];
+                }
+            }
+
+            if (empty($condition)) {
+                return ElementCollection::empty();
+            }
+
+            $query->andWhere(['or', ...$condition]);
         } else {
             // If not, get the prepared element query
             /** @var AddressQuery $query */

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.