Platform
php
Component
craftcms/cms
Fixed in
4.0.1
5.0.1
4.17.4
CVE-2026-29113 describes an Information Disclosure vulnerability within Craft CMS. This flaw allows an attacker to leverage a logged-in editor to generate preview tokens, granting unauthorized access to unpublished content. The vulnerability affects versions of Craft CMS up to and including 4.9.7, and a patch is available in version 4.17.4.
The core impact of CVE-2026-29113 lies in the potential for unauthorized access to unpublished content within a Craft CMS instance. An attacker can craft a malicious request that forces a logged-in editor to generate a preview token under the attacker's control. This token, when used, bypasses authentication and allows the attacker to view content designated for preview, which may include sensitive or draft information not intended for public consumption. The blast radius is limited to the scope of the previewed content and the permissions of the affected editor. While the CVSS score is low, the potential for data exposure, particularly in environments with sensitive draft content, warrants immediate attention.
CVE-2026-29113 was publicly disclosed on 2026-03-10. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on CISA KEV. The EPSS score is likely low, reflecting the lack of public exploits and the relatively limited impact. Active exploitation is not currently confirmed, but the ease of exploitation, once a victim is identified, suggests potential for opportunistic attacks.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
The primary mitigation for CVE-2026-29113 is to upgrade Craft CMS to version 4.17.4 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing a temporary workaround by restricting access to the /actions/preview/create-token endpoint. This can be achieved through web application firewall (WAF) rules or proxy configurations that block unauthorized requests to this endpoint. Monitor Craft CMS logs for suspicious activity related to preview token creation and usage. After upgrading, confirm the fix by attempting to generate a preview token through an external source and verifying that access to previewed content is denied.
Update Craft CMS to version 4.17.4 or higher, or to version 5.9.7 or higher. This fixes the CSRF vulnerability in the preview token creation endpoint, preventing unauthenticated attackers from accessing unpublished content.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29113 is a vulnerability in Craft CMS that allows attackers to access unpublished content by generating preview tokens. It affects versions up to 4.9.7 and has a CVSS score of 2.5 (LOW).
You are affected if you are running Craft CMS version 4.9.7 or earlier. Verify your version and upgrade accordingly.
Upgrade Craft CMS to version 4.17.4 or later to resolve this vulnerability. As a temporary workaround, restrict access to the /actions/preview/create-token endpoint.
Active exploitation is not currently confirmed, but the ease of exploitation suggests potential for opportunistic attacks.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.