CVE-2026-32267 Overview
CVE-2026-32267 is a privilege escalation vulnerability affecting Craft CMS, a popular content management system. This vulnerability allows low-privilege users or unauthenticated users who have received a shared URL to escalate their privileges to administrator level by abusing the UsersController->actionImpersonateWithToken functionality. The flaw stems from improper authorization checks (CWE-863) that fail to properly validate token usage before granting elevated access.
Critical Impact
Low-privilege or unauthenticated users can gain full administrative access to Craft CMS installations, potentially leading to complete site compromise, data theft, and unauthorized content manipulation.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.17.5
- Craft CMS versions 5.0.0-RC1 through 5.9.11
- All installations using the impersonation token feature
Discovery Timeline
- 2026-03-16 - CVE-2026-32267 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32267
Vulnerability Analysis
This privilege escalation vulnerability exists in the Craft CMS user impersonation mechanism. The actionImpersonateWithToken function in the UsersController fails to properly validate whether an impersonation token has already been consumed or if it should still be valid for reuse. This allows an attacker with access to a shared URL containing an impersonation token to abuse the token repeatedly or in unintended contexts, ultimately escalating their privileges to administrator level.
The vulnerability is particularly dangerous because it can be exploited by unauthenticated users if they have been sent a shared URL containing a valid token. This extends the attack surface beyond authenticated low-privilege users to include anyone who can intercept or obtain such URLs.
Root Cause
The root cause is classified as CWE-863 (Incorrect Authorization). The vulnerable code in src/helpers/UrlHelper.php failed to check if a token still had remaining usages before including it in generated URLs. The system would propagate tokens through URL generation without verifying their validity status, allowing tokens that should have been single-use to be reused for privilege escalation.
Attack Vector
The attack is network-based and exploits the impersonation token functionality within Craft CMS. An attacker can leverage shared URLs containing impersonation tokens to bypass authorization controls:
- Obtain a shared URL containing an impersonation token (through legitimate sharing, interception, or social engineering)
- Access the URL to trigger the actionImpersonateWithToken function
- The system fails to properly validate token usage, granting administrative privileges
- Attacker gains full administrative access to the CMS
The patch introduced validation logic to check remaining token usages before including tokens in URLs:
// Security patch in src/helpers/UrlHelper.php
$params[$generalConfig->siteToken] = $siteToken;
}
if ($request->getIsSiteRequest()) {
- if ($addToken && !isset($params[$generalConfig->tokenParam]) && ($token = $request->getToken()) !== null) {
+ if (
+ $addToken &&
+ !isset($params[$generalConfig->tokenParam]) &&
+ ($token = $request->getToken()) !== null &&
+ Craft::$app->getTokens()->getRemainingTokenUsages($token) !== 0
+ ) {
$params[$generalConfig->tokenParam] = $token;
}
+
if (
!isset($params['x-craft-preview']) &&
!isset($params['x-craft-live-preview']) &&
Source: GitHub Commit 6301e21
The fix also added token usage tracking in src/services/Tokens.php:
// Security patch in src/services/Tokens.php
*/
private bool $_deletedExpiredTokens = false;
+ /**
+ * @var array<string,int|null>
+ * @see getRemainingTokenUsages()
+ */
+ private array $_remainingTokenUsages = [];
+
/**
* Creates a new token and returns it.
* ---
Source: GitHub Commit 6301e21
Detection Methods for CVE-2026-32267
Indicators of Compromise
- Unexpected administrative actions in Craft CMS audit logs from low-privilege or unauthenticated sessions
- Multiple requests to actionImpersonateWithToken endpoints from the same token value
- Unusual user privilege changes or new administrator accounts being created
- Access logs showing repeated use of URLs containing tokenParam parameters
Detection Strategies
- Monitor web server logs for requests containing impersonation token parameters with repeated usage patterns
- Implement alerting on privilege escalation events within Craft CMS user management
- Review authentication logs for session changes where users gain administrative access without proper authorization flow
- Deploy web application firewall rules to flag suspicious token reuse attempts
Monitoring Recommendations
- Enable comprehensive audit logging within Craft CMS to track all administrative actions
- Configure alerts for any user impersonation events, especially those involving privilege elevation
- Monitor for unusual patterns in shared URL access, particularly those with embedded tokens
- Implement session monitoring to detect sudden privilege level changes
How to Mitigate CVE-2026-32267
Immediate Actions Required
- Upgrade Craft CMS version 4.x installations to version 4.17.6 or later immediately
- Upgrade Craft CMS version 5.x installations to version 5.9.12 or later immediately
- Audit administrative accounts for any unauthorized access or recent changes
- Invalidate all existing impersonation tokens and review shared URLs
Patch Information
Craft CMS has released security patches that address this vulnerability. The fix implements proper token usage validation before including tokens in generated URLs by calling getRemainingTokenUsages() to verify the token hasn't been exhausted. The patches are available in versions 4.17.6 and 5.9.12. For detailed information, refer to the GitHub Security Advisory GHSA-cc7p-2j3x-x7xf and the security commit.
Workarounds
- Disable user impersonation functionality if not required for business operations until patching is complete
- Implement network-level access controls to restrict administrative interface access to trusted IP ranges
- Review and revoke any previously shared URLs that may contain impersonation tokens
- Enable multi-factor authentication for all administrative accounts as a defense-in-depth measure
# Upgrade Craft CMS using Composer
composer update craftcms/cms --with-dependencies
# Verify installed version after upgrade
./craft version
# Expected output for 5.x: Craft CMS 5.9.12 or higher
# Expected output for 4.x: Craft CMS 4.17.6 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
