Plataforma
php
Componente
craftcms/cms
Corrigido em
4.0.1
5.0.1
4.17.4
CVE-2026-29113 describes an Information Disclosure vulnerability within Craft CMS. This flaw allows an attacker to leverage a logged-in editor to generate preview tokens, granting unauthorized access to unpublished content. The vulnerability affects versions of Craft CMS up to and including 4.9.7, and a patch is available in version 4.17.4.
The core impact of CVE-2026-29113 lies in the potential for unauthorized access to unpublished content within a Craft CMS instance. An attacker can craft a malicious request that forces a logged-in editor to generate a preview token under the attacker's control. This token, when used, bypasses authentication and allows the attacker to view content designated for preview, which may include sensitive or draft information not intended for public consumption. The blast radius is limited to the scope of the previewed content and the permissions of the affected editor. While the CVSS score is low, the potential for data exposure, particularly in environments with sensitive draft content, warrants immediate attention.
CVE-2026-29113 was publicly disclosed on 2026-03-10. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on CISA KEV. The EPSS score is likely low, reflecting the lack of public exploits and the relatively limited impact. Active exploitation is not currently confirmed, but the ease of exploitation, once a victim is identified, suggests potential for opportunistic attacks.
Organizations and individuals utilizing Craft CMS for content management, particularly those with sensitive draft content or a large number of editors with preview access, are at risk. Shared hosting environments where multiple Craft CMS instances reside on the same server could potentially expose multiple sites to this vulnerability if one instance is compromised.
• php: Examine Craft CMS application logs for unusual activity related to the /actions/preview/create-token endpoint. Look for requests originating from unexpected IP addresses or user agents.
grep "/actions/preview/create-token" /path/to/craftcms/app/logs/web.log• generic web: Monitor access logs for requests to /actions/preview/create-token with unusual parameters or originating from unfamiliar sources.
grep "/actions/preview/create-token" /var/log/apache2/access.log• generic web: Check response headers for unexpected content or error codes when accessing /actions/preview/create-token.
curl -I https://your-craftcms-site.com/actions/preview/create-tokendisclosure
Status do Exploit
EPSS
0.01% (percentil 0%)
CISA SSVC
The primary mitigation for CVE-2026-29113 is to upgrade Craft CMS to version 4.17.4 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing a temporary workaround by restricting access to the /actions/preview/create-token endpoint. This can be achieved through web application firewall (WAF) rules or proxy configurations that block unauthorized requests to this endpoint. Monitor Craft CMS logs for suspicious activity related to preview token creation and usage. After upgrading, confirm the fix by attempting to generate a preview token through an external source and verifying that access to previewed content is denied.
Actualice Craft CMS a la versión 4.17.4 o superior, o a la versión 5.9.7 o superior. Esto corrige la vulnerabilidad CSRF en el endpoint de creación de tokens de vista previa, impidiendo que atacantes no autenticados accedan a contenido no publicado.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-29113 is a vulnerability in Craft CMS that allows attackers to access unpublished content by generating preview tokens. It affects versions up to 4.9.7 and has a CVSS score of 2.5 (LOW).
You are affected if you are running Craft CMS version 4.9.7 or earlier. Verify your version and upgrade accordingly.
Upgrade Craft CMS to version 4.17.4 or later to resolve this vulnerability. As a temporary workaround, restrict access to the /actions/preview/create-token endpoint.
Active exploitation is not currently confirmed, but the ease of exploitation suggests potential for opportunistic attacks.
Refer to the official Craft CMS security advisory for detailed information and updates: [https://craftcms.com/security/advisories](https://craftcms.com/security/advisories)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.