CVE-2026-29069

Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.17.0:beta1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.9.0:beta1:*:*:*:*:*:*

History

17 Jun 2026, 10:29

Type Values Removed Values Added
Summary
  • (es) Craft es un sistema de gestión de contenido (CMS). Antes de 5.9.0-beta.2 y 4.17.0-beta.2, el endpoint actionSendActivationEmail() es accesible para usuarios no autenticados y no requiere una verificación de permisos para usuarios pendientes. Un atacante sin acceso previo puede activar correos electrónicos de activación para cualquier cuenta de usuario pendiente al conocer o adivinar el ID de usuario. Si el atacante controla la dirección de correo electrónico del usuario objetivo, puede activar la cuenta y obtener acceso al sistema. Esta vulnerabilidad está corregida en 5.9.0-beta.2 y 4.17.0-beta.2.

05 Mar 2026, 10:40

Type Values Removed Values Added
CPE cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.9.0:beta1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.17.0:beta1:*:*:*:*:*:*
First Time Craftcms
Craftcms craft Cms
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.3
References () https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8 - () https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8 - Patch
References () https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq - () https://github.com/craftcms/cms/security/advisories/GHSA-234q-vvw3-mrfq - Patch, Vendor Advisory

04 Mar 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-03-04 17:16

Updated : 2026-06-17 10:29


NVD link : CVE-2026-29069

Mitre link : CVE-2026-29069

CVE.ORG link : CVE-2026-29069


JSON object : View

Products Affected

craftcms

  • craft_cms
CWE
CWE-639

Authorization Bypass Through User-Controlled Key