CVE-2026-29069
Craft has an unauthenticated activation email trigger with potential user enumeration
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target userβs email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
| CWE | CWE-639 |
| Vendor | craftcms |
| Product | cms |
| Published | Mar 4, 2026 |
| Last Updated | Mar 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for craftcms cms
Be the first to know when new unknown vulnerabilities affecting craftcms cms are published β delivered to Slack, Telegram or Discord.
Get Free Alerts β
Free Β· No credit card Β· 60 sec setup
Affected Versions
craftcms / cms
>= 5.0.0-RC1, < 5.9.0-beta.2 >= 4.0.0-RC1, < 4.17.0-beta.2