LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-32267

CVE-2026-32267 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 17, 2026

Craft CMS - Privilege Escalation

Published: March 16, 2026Updated: March 17, 2026PoC AvailableRemote Exploitable

Overview

Craft CMS 4.0.0-RC1 to <4.17.6 and 5.0.0-RC1 to <5.9.12 contain a privilege escalation caused by abuse of UsersController->actionImpersonateWithToken, letting low-privilege or unauthenticated users escalate to admin, exploit requires a shared URL or low-privilege access.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 3.1%(Probability of exploitation in next 30 days)

Impact

Attackers can escalate privileges to admin, gaining full control over the CMS.

Mitigation

Update to versions 4.17.6 or 5.9.12 or later.

References

Social Media Activity(1 post)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 18, 2026

šŸ”“ CVE-2026-32267 - Critical (9.8) Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.6 and from version 5.0.0-RC1 to before version 5.9.12, a low-privilege user (or an unauthenticated user who has been sent a shared URL) can escalate thei... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-32267/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-32267
Severity
Critical
CVSS Score
9.8
Type
broken_access_control
Status
confirmed
EPSS
3.1%
Social Posts
1

CWE

  • CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.1%Probability of exploitation in the next 30 days