Description

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

INFO

Published Date :

2026-03-04T16:21:43.199Z

Last Modified :

2026-03-04T18:00:59.824Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28696 vulnerability.

Vendors Products
Craftcms
  • Craft Cms
  • Craftcms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28696.

URL Resource
https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-7x43-mpfg-r9wj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact