Plateforme
php
Composant
craftcms/cms
Corrigé dans
4.0.1
5.0.1
5.9.14
CVE-2026-33159 is an authentication bypass vulnerability affecting Craft CMS versions 5.9.9 and earlier. This flaw allows unauthenticated guest users to access sensitive Config Sync updater functionality, enabling them to perform state-changing actions. The vulnerability was publicly disclosed on March 24, 2026, and a patch is available in version 5.9.14.
An attacker can leverage this vulnerability to gain unauthorized control over Craft CMS configurations. By exploiting the anonymous accessibility of the ConfigSyncController's index endpoint, they can obtain signed updater state data. This data can then be reused in subsequent requests to execute actions like regenerate-yaml and apply-yaml-changes, effectively modifying the CMS configuration without proper authentication. This could lead to unauthorized changes to site settings, database connections, or other critical parameters, potentially compromising the entire application and its data. The impact is particularly severe as it allows for remote, unauthenticated modification of the CMS.
This vulnerability was publicly disclosed on March 24, 2026. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation. It is not currently listed on the CISA KEV catalog. The ease of exploitation, combined with the potential impact, warrants careful monitoring and prompt patching.
Craft CMS installations running versions 5.9.9 and earlier are at risk. This includes websites and applications utilizing Craft CMS for content management, particularly those with publicly accessible administrative interfaces. Shared hosting environments running Craft CMS are also at increased risk due to the potential for cross-site contamination.
• php: Examine web server access logs for requests to /admin/actions/config-sync/index originating from unauthorized IP addresses.
• php: Use grep to search for suspicious configuration changes in the config.php file, particularly related to Config Sync settings.
• generic web: Monitor response headers for the ConfigSyncController endpoint for signs of unauthorized access or modification.
• generic web: Use curl to attempt accessing the /admin/actions/config-sync/index endpoint without authentication and verify that it requires authentication.
disclosure
Statut de l'Exploit
EPSS
0.08% (percentile 24%)
CISA SSVC
The primary mitigation is to upgrade Craft CMS to version 5.9.14 or later, which contains the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. While a direct workaround isn't explicitly stated, restricting access to the ConfigSyncController endpoint via web application firewall (WAF) rules or proxy configurations could limit exposure. Carefully review and audit any existing Config Sync configurations to identify and revert any unauthorized changes. After upgrading, confirm the vulnerability is resolved by attempting to access the ConfigSyncController endpoint anonymously and verifying that authentication is required.
Mettez à jour Craft CMS à la version 4.17.8 ou supérieure, ou à la version 5.9.14 ou supérieure. Cela corrige la vulnérabilité qui permet aux utilisateurs non authentifiés d'exécuter des opérations de synchronisation de configuration de projet.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-33159 is a vulnerability in Craft CMS versions 5.9.9 and earlier that allows unauthenticated users to modify configuration settings.
Yes, if you are running Craft CMS version 5.9.9 or earlier, you are potentially affected by this vulnerability.
Upgrade Craft CMS to version 5.9.14 or later to resolve the vulnerability. Consider temporary WAF rules if immediate upgrade is not possible.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation warrants careful monitoring.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/](https://craftcms.com/security/)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.