CVE-2026-28696
Craft affected by IDOR via GraphQL @parseRefs
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
| CWE | CWE-639 |
| Vendor | craftcms |
| Product | cms |
| Published | Mar 4, 2026 |
| Last Updated | Mar 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
craftcms / cms
>= 4.0.0-RC1, < 4.17.0-beta.1 >= 5.0.0-RC1, < 5.9.0-beta.1