216.73.216.86

CVE-2026-29069

· Published 04/03/2026 17:16 · Modified 05/03/2026 10:40

Labels: CVE-2026-29069 2026-03-04CVE-2026-29069CWE-639[email protected]

Essential information

Published
04/03/2026 17:16
Modified
05/03/2026 10:40
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.

NVD status

Status
Analyzed — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:4.17.0:beta1:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:5.9.0:beta1:*:*:*:*:*:*

References