CVE-2026-27128

{"id": "CVE-2026-27128", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 1.7}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-24T03:16:02.623", "references": [{"url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-367"}]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS\u2019s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token\u2019s usage count, checks if it\u2019s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenidos (CMS). En las versiones 4.5.0-RC1 a 4.16.18 y 5.0.0-RC1 a 5.8.22, existe una condici\u00f3n de carrera Time-of-Check-Time-of-Use (TOCTOU) en el servicio de validaci\u00f3n de tokens de Craft CMS para tokens que establecen expl\u00edcitamente un uso limitado. El m\u00e9todo `getTokenRoute()` lee el recuento de uso de un token, verifica si est\u00e1 dentro de los l\u00edmites y luego actualiza la base de datos en operaciones no at\u00f3micas separadas. Al enviar solicitudes concurrentes, un atacante puede usar un token de suplantaci\u00f3n de un solo uso varias veces antes de que se complete la actualizaci\u00f3n de la base de datos. Para que esto funcione, un atacante necesita obtener una URL de suplantaci\u00f3n de cuenta de usuario v\u00e1lida con un token no caducado por otros medios y explotar una condici\u00f3n de carrera mientras elude cualquier regla de limitaci\u00f3n de velocidad existente. Para que esto sea una escalada de privilegios, la URL de suplantaci\u00f3n debe incluir un token para una cuenta de usuario con m\u00e1s permisos que el usuario actual. Las versiones 4.16.19 y 5.8.23 aplican un parche al problema."}], "lastModified": "2026-02-27T20:06:52.050", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF425F3E-1E6A-4EE8-A1F8-9FA5399DE8DD", "versionEndExcluding": "4.16.19", "versionStartExcluding": "4.5.0"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A9572A70-5447-4861-9EC3-E51C5A7A9C56", "versionEndExcluding": "5.8.23", "versionStartExcluding": "5.0.0"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "48EC469C-4A9C-40A5-AD71-386D47255223"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.5.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "25BADF46-CF5B-448C-BE38-D297D7512534"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}