216.73.217.176

CVE-2026-27128

· Published 24/02/2026 03:16 · Modified 24/02/2026 14:13

Labels: CVE-2026-27128 2026-02-24CVE-2026-27128CWE-367[email protected]

Essential information

Published
24/02/2026 03:16
Modified
24/02/2026 14:13
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
craft / craft cms cpe:2.3:a:craft:craft_cms:4.5.0-RC1:4.16.18:*:*:*:*:*:*
craft / craft cms cpe:2.3:a:craft:craft_cms:5.0.0-RC1:5.8.22:*:*:*:*:*:*
craft / craft cms cpe:2.3:a:craft:craft_cms:4.16.19:*:*:*:*:*:*:*
craft / craft cms cpe:2.3:a:craft:craft_cms:5.8.23:*:*:*:*:*:*:*

References