CVE-2026-44010 Overview
CVE-2026-44010 is a missing authorization vulnerability [CWE-862] in Craft CMS, an open-source content management system. The GraphQL Address element resolver located at src/gql/resolvers/elements/Address.php performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address record in the system. This includes addresses belonging to users in groups the token has no authorization to access. The exposed data includes personally identifiable information (PII) such as full names, postal addresses, organizations, and tax identification numbers. The flaw affects Craft CMS versions 4.0.0 through 4.17.11 and 5.x prior to 5.9.18.
Critical Impact
Any authenticated GraphQL token, regardless of its scoped user group, can enumerate all address records across the Craft CMS instance, exposing PII for every user.
Affected Products
- Craft CMS versions 4.0.0 through 4.17.11
- Craft CMS 5.x versions prior to 5.9.18
- Deployments exposing the GraphQL API with multi-group user address data
Discovery Timeline
- 2026-05-12 - CVE-2026-44010 published to NVD
- 2026-05-13 - Last updated in NVD database
- Fixed versions - Craft CMS 4.17.12 and 5.9.18 released with the security patch
Technical Details for CVE-2026-44010
Vulnerability Analysis
The vulnerability resides in the GraphQL Address element resolver at src/gql/resolvers/elements/Address.php. Craft CMS supports scoping GraphQL API tokens to specific schemas and user groups. Most element resolvers enforce that scope when building top-level queries. The Address resolver omits this enforcement step. Top-level queries for Address elements therefore return results across all user groups. The vulnerability is classified as Missing Authorization [CWE-862] and is exploitable over the network by an attacker holding any valid GraphQL token.
Root Cause
The Address resolver does not apply schema-aware filtering before executing the underlying AddressQuery. Other element types restrict results based on the token's allowed schema scopes, but Address records skip that check entirely. As a result, the database query returns every address regardless of which user owns it or which group that user belongs to.
Attack Vector
An attacker who obtains a low-privilege GraphQL API token issues a top-level addresses query through the Craft CMS GraphQL endpoint. The resolver returns all address records in the instance. The attacker harvests names, street addresses, organizations, and tax IDs for every user with an associated address. No additional privileges, user interaction, or chained vulnerabilities are required.
namespace craft\gql\resolvers\elements;
+use Craft;
+use craft\db\Query;
+use craft\db\Table;
use craft\elements\Address as AddressElement;
use craft\elements\db\AddressQuery;
use craft\elements\db\ElementQuery;
+use craft\elements\ElementCollection;
use craft\gql\base\ElementResolver;
use craft\helpers\Gql as GqlHelper;
use Illuminate\Support\Collection;
Source: Craft CMS commit 834b2cf. The patch adds imports for Craft, Query, Table, and ElementCollection so that the resolver can apply schema scope filtering against the underlying address records before returning results.
Detection Methods for CVE-2026-44010
Indicators of Compromise
- GraphQL requests containing top-level addresses queries from tokens scoped to a single low-privilege user group
- Unusually large result sets returned from the Craft CMS GraphQL endpoint for address-related fields
- Access log entries showing repeated POST requests to /api or the configured GraphQL endpoint from a single API token
Detection Strategies
- Review Craft CMS web server logs for GraphQL queries referencing addresses, addressCount, or addressConnection root fields
- Audit issued GraphQL tokens and correlate their scoped schemas with the address fields they have queried
- Compare returned address counts against the number of users in a token's authorized groups to detect over-disclosure
Monitoring Recommendations
- Enable verbose GraphQL request logging in Craft CMS to capture query bodies and token identifiers
- Forward web access logs and Craft CMS application logs to a centralized log analytics platform for retention and search
- Alert on any GraphQL query that requests address fields combined with PII attributes such as fullName, organizationTaxId, or addressLine1
How to Mitigate CVE-2026-44010
Immediate Actions Required
- Upgrade Craft CMS to version 4.17.12 or 5.9.18 as soon as possible
- Rotate all existing GraphQL API tokens after upgrading to invalidate any tokens that may have been used for unauthorized access
- Audit user address data and notify affected users if exposure is confirmed under applicable data protection regulations
Patch Information
The maintainers fixed the vulnerability in Craft CMS 4.17.12 and 5.9.18. The fix is published in commit 834b2cf61ad0dcee9b03add44ed402ebf18db128 and detailed in GitHub Security Advisory GHSA-gj2p-p9m4-c8gw. The patch updates src/gql/resolvers/elements/Address.php to apply schema scope filtering before executing the address query.
Workarounds
- Disable the GraphQL API entirely until the upgrade is applied if address data is in scope
- Restrict network access to the Craft CMS GraphQL endpoint to trusted internal clients via firewall or reverse proxy rules
- Revoke any public or third-party GraphQL tokens that have access to user-related schemas
# Upgrade Craft CMS via Composer to a patched release
composer require craftcms/cms:^5.9.18 --update-with-dependencies
# Or for the 4.x branch
composer require craftcms/cms:^4.17.12 --update-with-dependencies
# Apply pending migrations after upgrade
php craft up
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
