CVE-2026-32267

Craft CMS Vulnerable to Privilege Escalation/Bypass through UsersController->actionImpersonateWithToken()

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate their privileges to admin by abusing UsersController->actionImpersonateWithToken. This issue has been patched in versions 4.17.6 and 5.9.12.

INFO

Published Date :

2026-03-16T19:04:47.781Z

Last Modified :

2026-03-16T19:04:47.781Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-32267 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32267.

URL	Resource
https://github.com/craftcms/cms/commit/6301e217c5f15617d939c432cb770db50af14b33
https://github.com/craftcms/cms/security/advisories/GHSA-cc7p-2j3x-x7xf

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability