CVE-2026-27128
TOCTOU Race Condition in Craft CMS Token Validation Enables Privilege Escalation
Publication date: 2026-02-24
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 5.0.0 (exc) to 5.8.23 (exc) |
| craftcms | craft_cms | 4.5.0 |
| craftcms | craft_cms | 4.5.0 |
| craftcms | craft_cms | From 4.5.0 (exc) to 4.16.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27128 is a Time-of-Check-Time-of-Use (TOCTOU) race condition vulnerability in the token validation service of Craft CMS. It affects versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The vulnerability exists in the getTokenRoute() method, which reads a token's usage count, checks if it is within allowed limits, and then updates the database in separate, non-atomic steps."}, {'type': 'paragraph', 'content': 'Because these operations are not atomic, an attacker can send concurrent requests using a valid single-use impersonation token to bypass the usage limit, allowing multiple uses of the token before the database update completes. To exploit this, the attacker must have a valid impersonation URL token for a user account with higher privileges than their own and bypass any rate-limiting protections.'}, {'type': 'paragraph', 'content': 'This vulnerability can lead to privilege escalation by enabling repeated use of a token intended for limited use.'}] [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to reuse a single-use impersonation token multiple times, effectively bypassing intended usage limits.
If the attacker obtains a token for a user account with higher privileges, they can escalate their privileges by impersonating that user repeatedly.
This can lead to unauthorized access to sensitive data or administrative functions within the Craft CMS environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a race condition in the token validation service of Craft CMS, which can be exploited by sending concurrent requests using a valid impersonation token. Detection would involve monitoring for unusual concurrent requests to impersonation URLs or repeated use of single-use tokens.
There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Craft CMS to a patched version where the vulnerability is fixed. Specifically, update to version 4.16.19 or later in the 4.x series, or 5.8.23 or later in the 5.x series.
The fix involves introducing a mutex lock in the token validation process to prevent race conditions by ensuring atomic operations when checking and updating token usage counts.
Until the update can be applied, consider monitoring and limiting concurrent requests to impersonation URLs and enforcing strict rate-limiting to reduce the risk of exploitation.