Auth bypass in Craftcms Cms

CVE-2026-44010

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API t…

Vulnerability class: Broken Access Control

EPSS: 0.000 (2.9th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 5.0.0, < 5.9.18, >= 4.0.0, < 4.17.12

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

security-advisories@github.com (x_refsource_CONFIRM)
security-advisories@github.com (x_refsource_MISC)