Cyber Resilience

CVE-2026-28696

HighPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0045 35.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28696 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28696 is an authorization bypass vulnerability in Craft, a content management system (CMS). In versions prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs—intended to parse internal reference tags such as {user:1:email}—suffers from inadequate implementation in the Elements::parseRefs method, which fails to enforce authorization checks. This flaw enables unauthorized access to sensitive attributes of any element within the CMS.

The vulnerability can be exploited remotely over the network with low complexity by both authenticated users and unauthenticated guests, provided a Public Schema is enabled. Successful exploitation allows attackers to read sensitive data they lack permission to view, resulting in high confidentiality impact with no integrity or availability disruption. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-639 (Authorization Bypass Through User-Controlled Key).

Craft CMS addresses this issue in versions 4.17.0-beta.1 and 5.9.0-beta.1. Additional details are available in the GitHub security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj and the fixing commit at https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled)…

more

to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213 Data from Information Repositories Collection
Adversaries may leverage information repositories to mine valuable information.
Why these techniques?

Authorization bypass in public-facing Craft CMS GraphQL endpoint (no auth checks on @parseRefs/Elements::parseRefs) directly enables remote exploitation of a public application for initial access (T1190) and unauthorized collection of sensitive data from the CMS information repository (T1213).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25497Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms
CVE-2026-28783Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0 — 4.17.0 · 5.0.0 — 5.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to information and system resources, directly mitigating the failure to perform authorization checks in Elements::parseRefs.

prevent

Requires timely identification, reporting, and correction of system flaws like the authorization bypass in @parseRefs, preventing exploitation via patching to fixed versions.

prevent

Employs least privilege to restrict access to only necessary data and functions, limiting the scope and impact of unauthorized attribute access through the vulnerable directive.

References