CVE-2026-31266 Overview
Craft CMS versions 5.9.5 and earlier contain a missing authorization vulnerability in the migrate endpoint at /actions/app/migrate. The flaw is classified under CWE-862: Missing Authorization. Unauthenticated attackers can reach the migration action over the network without any prior credentials or user interaction. The endpoint exposes database migration functionality that should be restricted to administrators. Exploitation can affect confidentiality, integrity, and availability of the underlying Craft CMS installation.
Critical Impact
Network-reachable attackers can invoke the Craft CMS migrate endpoint without authentication, triggering migration logic that should be restricted to privileged administrators.
Affected Products
- Craft CMS 5.9.5 and earlier
- Craft CMS 5.x branch installations exposing /actions/app/migrate
- Web-facing deployments of the affected Craft CMS versions
Discovery Timeline
- 2026-05-27 - CVE-2026-31266 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-31266
Vulnerability Analysis
The vulnerability resides in the Craft CMS application controller responsible for handling the /actions/app/migrate route. The endpoint is intended to execute pending database migrations during upgrades. In affected releases, the action does not enforce administrator-level authorization before processing the request. Any network client capable of reaching the web application can invoke the action directly.
Because the migrate action interacts with the schema and migration tracking tables, unauthorized invocation can place the application into an inconsistent state. Attackers may use the endpoint to probe internal version information or to influence the migration workflow. The Common Weakness Enumeration classifies this pattern as CWE-862, indicating an absent authorization check on a sensitive operation.
Root Cause
The root cause is a missing authorization guard on the controller action that backs /actions/app/migrate. Sensitive administrative routes should require an authenticated session with elevated privileges. In affected versions, the request reaches migration logic without this verification step.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends a crafted HTTP request to the /actions/app/migrate endpoint on an exposed Craft CMS instance. Public proof-of-concept material is referenced in the GitHub PoC for CVE-2026-31266 and the broader cms-security-poc repository. The upstream code is maintained in the Craft CMS repository.
No verified exploit code is reproduced here. Refer to the linked proof-of-concept repositories for technical reproduction details.
Detection Methods for CVE-2026-31266
Indicators of Compromise
- HTTP requests to /actions/app/migrate originating from unauthenticated sessions or unexpected source IP ranges.
- Unexpected entries in the Craft CMS migrations table or sudden schema changes outside of planned deployment windows.
- Web server access logs showing repeated POST or GET requests to /actions/app/ action endpoints from a single client.
Detection Strategies
- Inspect web server and reverse proxy logs for direct requests to /actions/app/migrate that lack an authenticated administrator session cookie.
- Correlate requests to action endpoints with the Craft CMS audit log to identify migration activity not initiated by deployment automation.
- Alert on HTTP 200 responses to /actions/app/migrate originating from external networks.
Monitoring Recommendations
- Forward Craft CMS application and web server logs to a centralized log platform for query and retention.
- Baseline normal traffic patterns to /actions/ routes and flag deviations against the baseline.
- Monitor file integrity on Craft CMS migration directories and configuration files for unauthorized changes.
How to Mitigate CVE-2026-31266
Immediate Actions Required
- Upgrade Craft CMS to a release later than 5.9.5 that contains the authorization fix for the migrate action.
- Restrict access to /actions/app/migrate at the web server or reverse proxy layer to trusted administrative IP ranges.
- Audit recent web server logs for requests to /actions/app/migrate and review migration history for unexpected entries.
Patch Information
Apply the fixed Craft CMS release published by the maintainers. Track upstream commits and release notes in the Craft CMS repository to confirm the patched version and verify the authorization control on the migrate action.
Workarounds
- Block external access to /actions/app/migrate using web server rules, a web application firewall, or upstream reverse proxy ACLs.
- Place the Craft CMS administrative surface behind a VPN or IP allowlist until the patched version is deployed.
- Disable or restrict the action route in environments where migrations are executed exclusively from a controlled deployment pipeline.
# Example nginx rule to restrict the migrate endpoint to internal IPs
location = /actions/app/migrate {
allow 10.0.0.0/8;
deny all;
proxy_pass http://craftcms_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
