CVE-2026-28696 Overview
CVE-2026-28696 is an authorization bypass vulnerability in Craft CMS, a popular content management system. The vulnerability exists in the GraphQL directive @parseRefs, which is designed to parse internal reference tags (e.g., {user:1:email}). Due to missing authorization checks in the Elements::parseRefs implementation, both authenticated users and unauthenticated guests (when a Public Schema is enabled) can exploit this flaw to access sensitive attributes of any element within the CMS.
This vulnerability allows attackers to read data they are not authorized to view, potentially exposing user email addresses, private content, and other sensitive information stored in the Craft CMS database.
Critical Impact
Unauthenticated attackers can extract sensitive data from any CMS element via GraphQL queries when Public Schema is enabled, leading to significant data exposure.
Affected Products
- Craft CMS versions prior to 4.17.0-beta.1
- Craft CMS versions prior to 5.9.0-beta.1
- Craft CMS 4.x and 5.x release candidates and stable releases
Discovery Timeline
- 2026-03-04 - CVE-2026-28696 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28696
Vulnerability Analysis
The vulnerability resides in Craft CMS's GraphQL implementation, specifically in how the @parseRefs directive processes internal reference tags. This directive is intended to resolve element references in a standardized format like {user:1:email} where the pattern represents {elementType:elementId:attribute}.
The core issue stems from CWE-639 (Authorization Bypass Through User-Controlled Key), where the Elements::parseRefs function fails to validate whether the requesting user has appropriate permissions to access the referenced element's attributes. When a Public Schema is enabled in Craft CMS, unauthenticated guests can send GraphQL queries that include these reference tags, effectively bypassing all access controls.
An attacker can iterate through element IDs and attribute names to systematically extract sensitive data from the CMS, including user credentials, email addresses, and private content fields.
Root Cause
The root cause is the absence of authorization checks within the Elements::parseRefs method. When processing reference tags via the @parseRefs GraphQL directive, the function directly resolves the requested element and attribute without verifying that the current user context has permission to access that data. This creates a direct object reference vulnerability that allows unauthorized data access.
Attack Vector
The attack is network-based and can be performed without any user interaction. If the Craft CMS instance has a Public Schema enabled for GraphQL queries, an unauthenticated attacker can craft malicious GraphQL queries containing the @parseRefs directive with reference tags targeting sensitive element attributes.
The attacker constructs GraphQL queries that include reference tags in the format {elementType:elementId:attribute}. For example, an attacker could use {user:1:email} to retrieve the email address of the first user in the system, or iterate through user IDs to extract a complete list of user email addresses. The vulnerability requires no authentication when Public Schema is enabled, making it highly exploitable in misconfigured environments.
Detection Methods for CVE-2026-28696
Indicators of Compromise
- Unusual GraphQL query patterns containing @parseRefs directive with reference tag syntax
- High volume of GraphQL requests from a single IP address targeting user or entry endpoints
- Access logs showing sequential element ID enumeration patterns in GraphQL queries
- Unexpected data access patterns for sensitive element attributes
Detection Strategies
- Monitor GraphQL endpoint logs for queries containing @parseRefs directive usage
- Implement rate limiting on GraphQL endpoints to detect enumeration attempts
- Audit GraphQL query patterns for reference tag syntax ({type:id:attribute})
- Review access logs for unauthenticated requests to the GraphQL API when Public Schema is enabled
Monitoring Recommendations
- Enable detailed logging for all GraphQL queries in production environments
- Set up alerts for anomalous GraphQL query volumes or patterns
- Monitor for bulk data extraction attempts via the GraphQL API
- Regularly audit Public Schema configurations and exposed fields
How to Mitigate CVE-2026-28696
Immediate Actions Required
- Upgrade Craft CMS to version 4.17.0-beta.1 or 5.9.0-beta.1 or later immediately
- If upgrading is not immediately possible, disable Public Schema for GraphQL until patched
- Review and restrict GraphQL schema exposure to minimize attack surface
- Audit logs for any potential exploitation attempts prior to patching
Patch Information
Craft CMS has released security patches that address this vulnerability. The fix is available in versions 4.17.0-beta.1 and 5.9.0-beta.1. The patch implements proper authorization checks within the Elements::parseRefs method to ensure that users can only access element attributes they are authorized to view.
For technical details on the fix, refer to the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Disable Public Schema for GraphQL API access until the patch can be applied
- Implement Web Application Firewall (WAF) rules to block GraphQL queries containing @parseRefs directives
- Restrict GraphQL endpoint access to authenticated users only via network-level controls
- Remove sensitive fields from exposed GraphQL schemas as a temporary measure
# Disable Public Schema in Craft CMS config/general.php
# Add or modify the following configuration:
'enableGql' => false,
# Or restrict to authenticated users only:
'enableGraphQlCaching' => false,
'allowPublicSchema' => false,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
