CVE-2026-32267

CriticalPublic PoC

Published: 16 March 2026

Published

16 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0004 12.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32267 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Craftcms Craft Cms. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly addresses the improper access control (CWE-863) in UsersController->actionImpersonateWithToken that enables unauthorized privilege escalation.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and patching of the specific flaw fixed in Craft CMS versions 4.17.6 and 5.9.12.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to restrict low-privilege or unauthenticated users from accessing admin-level impersonation functions.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE describes unauthenticated/low-priv remote abuse of an access-control flaw (impersonate token) in a public-facing CMS to obtain full admin rights; this directly matches T1190 (initial foothold via public app) and T1068 (resulting privilege escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their…

privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

Deeper analysisAI

CVE-2026-32267 is a privilege escalation vulnerability in Craft CMS, a content management system. It affects versions from 4.0.0-RC1 up to but not including 4.17.6, and from 5.0.0-RC1 up to but not including 5.9.12. The flaw resides in the UsersController->actionImpersonateWithToken function, which allows improper access control (CWE-863). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility and no prerequisites for exploitation.

An attacker with low privileges, or even an unauthenticated user provided with a shared URL, can exploit this issue to escalate their access to administrator level. By abusing the impersonation token mechanism, the attacker gains full admin privileges, potentially enabling unauthorized data access, modification, or deletion across the CMS instance.

Craft CMS has addressed the vulnerability in versions 4.17.6 and 5.9.12, as detailed in the project's security advisory (GHSA-cc7p-2j3x-x7xf) and corresponding commit (6301e217c5f15617d939c432cb770db50af14b33). Security practitioners should prioritize upgrading affected installations to these patched releases to mitigate the risk.

Details

CWE(s): CWE-863

Affected Products

craftcms

craft cms

4.0.0, 5.0.0 · 4.0.0.1 — 4.17.6 · 5.0.1 — 5.9.12

CVEs Like This One

CVE-2026-25497Same product: Craftcms Craft Cms

CVE-2026-31857Same product: Craftcms Craft Cms

CVE-2026-28784Same product: Craftcms Craft Cms

CVE-2025-23209Same product: Craftcms Craft Cms

CVE-2026-25498Same product: Craftcms Craft Cms

CVE-2026-25495Same product: Craftcms Craft Cms

CVE-2025-68455Same product: Craftcms Craft Cms

CVE-2026-32264Same product: Craftcms Craft Cms

CVE-2026-33157Same product: Craftcms Craft Cms

CVE-2025-68454Same product: Craftcms Craft Cms

References

https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33
Patch · security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf
Exploit, Patch, Vendor Advisory · security-advisories@github.com
https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf
Exploit, Patch, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0