CVE-2026-27128
Received Received - Intake
TOCTOU Race Condition in Craft CMS Token Validation Enables Privilege Escalation

Publication date: 2026-02-24

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27128
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 5.0.0 (exc) to 5.8.23 (exc)
craftcms craft_cms 4.5.0
craftcms craft_cms 4.5.0
craftcms craft_cms From 4.5.0 (exc) to 4.16.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27128 is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability in the token validation service of Craft CMS. It affects versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The vulnerability exists in the getTokenRoute() method, which reads a token's usage count, checks if it is within allowed limits, and then updates the database in separate, non-atomic steps."}, {'type': 'paragraph', 'content': 'Because these operations are not atomic, an attacker can send concurrent requests using a valid single-use impersonation token to bypass the usage limit, allowing multiple uses of the token before the database update completes. To exploit this, the attacker must have a valid impersonation URL token for a user account with higher privileges than their own and bypass any rate-limiting protections.'}, {'type': 'paragraph', 'content': 'This vulnerability can lead to privilege escalation by enabling repeated use of a token intended for limited use.'}] [1]

Impact Analysis

This vulnerability can allow an attacker to reuse a single-use impersonation token multiple times, effectively bypassing intended usage limits.

If the attacker obtains a token for a user account with higher privileges, they can escalate their privileges by impersonating that user repeatedly.

This can lead to unauthorized access to sensitive data or administrative functions within the Craft CMS environment.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves a race condition in the token validation service of Craft CMS, which can be exploited by sending concurrent requests using a valid impersonation token. Detection would involve monitoring for unusual concurrent requests to impersonation URLs or repeated use of single-use tokens.

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

Mitigation Strategies

The immediate mitigation step is to upgrade Craft CMS to a patched version where the vulnerability is fixed. Specifically, update to version 4.16.19 or later in the 4.x series, or 5.8.23 or later in the 5.x series.

The fix involves introducing a mutex lock in the token validation process to prevent race conditions by ensuring atomic operations when checking and updating token usage counts.

Until the update can be applied, consider monitoring and limiting concurrent requests to impersonation URLs and enforcing strict rate-limiting to reduce the risk of exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27128. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart