Platform
php
Component
craftcms/cms
Fixed in
4.0.1
5.0.1
5.9.14
CVE-2026-33159 is an authentication bypass vulnerability affecting Craft CMS versions 5.9.9 and earlier. This flaw allows unauthenticated guest users to access sensitive Config Sync updater functionality, enabling them to perform state-changing actions. The vulnerability was publicly disclosed on March 24, 2026, and a patch is available in version 5.9.14.
An attacker can leverage this vulnerability to gain unauthorized control over Craft CMS configurations. By exploiting the anonymous accessibility of the ConfigSyncController's index endpoint, they can obtain signed updater state data. This data can then be reused in subsequent requests to execute actions like regenerate-yaml and apply-yaml-changes, effectively modifying the CMS configuration without proper authentication. This could lead to unauthorized changes to site settings, database connections, or other critical parameters, potentially compromising the entire application and its data. The impact is particularly severe as it allows for remote, unauthenticated modification of the CMS.
This vulnerability was publicly disclosed on March 24, 2026. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation. It is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential impact, warrants careful monitoring and prompt patching.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
The primary mitigation is to upgrade Craft CMS to version 5.9.14 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct workaround isn't explicitly stated, restricting access to the ConfigSyncController endpoint via web application firewall (WAF) rules or proxy configurations could limit exposure. Carefully review and audit any existing Config Sync configurations to identify and revert any unauthorized changes. After upgrading, confirm the vulnerability is resolved by attempting to access the ConfigSyncController endpoint anonymously and verifying that authentication is required.
Update Craft CMS to version 4.17.8 or higher, or to version 5.9.14 or higher. This corrects the vulnerability that allows unauthenticated users to execute project configuration sync operations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33159 is a vulnerability in Craft CMS versions 5.9.9 and earlier that allows unauthenticated users to modify configuration settings.
Yes, if you are running Craft CMS version 5.9.9 or earlier, you are potentially affected by this vulnerability.
Upgrade Craft CMS to version 5.9.14 or later to resolve the vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation warrants careful monitoring.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/](https://craftcms.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.