MEDIUMCVE-2024-21622CVSS 5.4

CVE-2024-21622: Privilege Escalation in Craft CMS

Q: What is CVE-2024-21622 — Privilege Escalation in Craft CMS?

CVE-2024-21622 is a medium severity privilege escalation vulnerability in Craft CMS affecting versions 3.0.0–>= 4.0.0-RC1 and < 4.5.11. Attackers with specific permissions could elevate their privileges.

Q: Am I affected by CVE-2024-21622 in Craft CMS?

You are affected if you are using Craft CMS versions 3.0.0–>= 4.0.0-RC1 and < 4.5.11. Check your version and upgrade if necessary.

Q: How do I fix CVE-2024-21622 in Craft CMS?

Upgrade Craft CMS to version 4.4.16 or 3.9.6. Review and tighten user permission configurations to minimize potential impact.

Q: Where can I find the official Craft CMS advisory for CVE-2024-21622?

Refer to the official Craft CMS security advisory for details: [https://craftcms.com/security/bulletins/cve-2024-21622](https://craftcms.com/security/bulletins/cve-2024-21622)

Platform

php

Component

cms

Fixed in

4.0.1

3.0.1

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2024-21622 is a privilege escalation vulnerability discovered in Craft CMS, a content management system. This flaw allows attackers with specific user permissions to potentially elevate their privileges within the system, leading to unauthorized access and control. The vulnerability affects versions 3.0.0–>= 4.0.0-RC1 and those prior to 4.5.11. A fix is available in Craft CMS versions 4.4.16 and 3.9.6.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-21622 could grant an attacker elevated privileges within a Craft CMS installation. This could allow them to modify sensitive data, install malicious code, or gain complete control over the affected website. The impact is particularly severe for installations with poorly configured user permissions, where an attacker might be able to exploit this vulnerability to bypass access controls. While the description doesn't detail specific attack vectors, the potential for privilege escalation suggests a significant risk to data integrity and system security.

Exploitation Context

CVE-2024-21622 was publicly disclosed on January 3, 2024. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog at the time of this writing. The vulnerability's impact is contingent on specific user permission configurations, which may limit its exploitability in some environments.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureMedium

EPSS

0.10% (28% percentile)

CVSS Vector

Affected Software

Componentcms

Vendorcraftcms

Affected rangeFixed in

>= 4.0.0-RC1, < 4.5.11 – >= 4.0.0-RC1, < 4.5.114.0.1

>= 3.0.0, < 3.9.6 – >= 3.0.0, < 3.9.63.0.1

Weakness Classification (CWE)

CWE-269

Timeline

Reserved2023-12-29
Published2024-01-03
Modified2025-04-17
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2024-21622 is to upgrade Craft CMS to version 4.4.16 or 3.9.6, as these versions contain the necessary fix. If an immediate upgrade is not feasible, review and tighten user permission configurations within Craft CMS to minimize the potential impact of this vulnerability. Ensure that users are granted only the minimum necessary privileges. Consider implementing a Web Application Firewall (WAF) with rules to detect and block suspicious requests targeting potential privilege escalation attempts. After upgrade, confirm the fix by attempting to access restricted resources with a user account that previously had limited permissions.

How to fix

Actualice Craft CMS a la versión 4.4.16 o superior, o a la versión 3.9.6 o superior. Esto solucionará la vulnerabilidad de escalada de privilegios. Realice una copia de seguridad antes de actualizar.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-21622 — Privilege Escalation in Craft CMS?

CVE-2024-21622 is a medium severity privilege escalation vulnerability in Craft CMS affecting versions 3.0.0–>= 4.0.0-RC1 and < 4.5.11. Attackers with specific permissions could elevate their privileges.

Am I affected by CVE-2024-21622 in Craft CMS?

You are affected if you are using Craft CMS versions 3.0.0–>= 4.0.0-RC1 and < 4.5.11. Check your version and upgrade if necessary.

How do I fix CVE-2024-21622 in Craft CMS?

Upgrade Craft CMS to version 4.4.16 or 3.9.6. Review and tighten user permission configurations to minimize potential impact.

Is CVE-2024-21622 being actively exploited?

There is currently no indication of active exploitation in the wild or publicly available proof-of-concept exploits.

Where can I find the official Craft CMS advisory for CVE-2024-21622?

Refer to the official Craft CMS security advisory for details: [https://craftcms.com/security/bulletins/cve-2024-21622](https://craftcms.com/security/bulletins/cve-2024-21622)

NextGuard

Vulnerabilities

What do these metrics mean?

Attack Vector: Adjacent — requires network proximity: same LAN, Bluetooth, or local wireless segment. Not internet-exposed.
Attack Complexity: Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required: Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction: None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope: Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality: None — no confidentiality impact. Attacker cannot read protected data.
Integrity: Low — attacker can modify some data with limited scope or impact.
Availability: Low — partial or intermittent denial of service. Attacker can degrade performance.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs