Cyber Resilience

CVE-2026-32267

HighPublic PoC

Published: 16 March 2026

Published
16 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0773 93.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-32267 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 6.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32267 is a privilege escalation vulnerability in Craft CMS, a content management system. It affects versions from 4.0.0-RC1 up to but not including 4.17.6, and from 5.0.0-RC1 up to but not including 5.9.12. The flaw resides in the UsersController->actionImpersonateWithToken function, which allows improper access control (CWE-863). The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with network accessibility and no prerequisites for exploitation.

An attacker with low privileges, or even an unauthenticated user provided with a shared URL, can exploit this issue to escalate their access to administrator level. By abusing the impersonation token mechanism, the attacker gains full admin privileges, potentially enabling unauthorized data access, modification, or deletion across the CMS instance.

Craft CMS has addressed the vulnerability in versions 4.17.6 and 5.9.12, as detailed in the project's security advisory (GHSA-cc7p-2j3x-x7xf) and corresponding commit (6301e217c5f15617d939c432cb770db50af14b33). Security practitioners should prioritize upgrading affected installations to these patched releases to mitigate the risk.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their…

more

privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CVE describes unauthenticated/low-priv remote abuse of an access-control flaw (impersonate token) in a public-facing CMS to obtain full admin rights; this directly matches T1190 (initial foothold via public app) and T1068 (resulting privilege escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-25497Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2026-31858Same product: Craftcms Craft Cms
CVE-2026-28696Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0.1 — 4.17.6 · 5.0.1 — 5.9.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the improper access control (CWE-863) in UsersController->actionImpersonateWithToken that enables unauthorized privilege escalation.

prevent

Mandates timely identification, reporting, and patching of the specific flaw fixed in Craft CMS versions 4.17.6 and 5.9.12.

prevent

Enforces least privilege to restrict low-privilege or unauthenticated users from accessing admin-level impersonation functions.

References