CVE-2026-29069
Essential information
- Published
- 04/03/2026 17:16
- Modified
- 05/03/2026 10:40
- Author
- —
- Creator
- —
- CVSS
- 6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
—
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Privileges required
- —
- User interaction
- —
- Scope
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- LOW
- Attack requirements
- NONE
- Privileges required
- NONE
- User interaction
- NONE
- Confidentiality (V)
- LOW
- Confidentiality (S)
- NONE
- Integrity (V)
- NONE
- Integrity (S)
- NONE
- Availability (V)
- NONE
- Availability (S)
- NONE
- Exploit maturity
- NOT_DEFINED
Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
NVD status
- Status
- Analyzed — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:4.17.0:beta1:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:* |
| craftcms / craft cms | cpe:2.3:a:craftcms:craft_cms:5.9.0:beta1:*:*:*:*:*:* |