Impact Analysis

This vulnerability can lead to significant data disclosure because users with admin privileges or explicit permission to access the Sprig Playground might expose security keys, credentials, and other sensitive configuration data.

Since the vulnerability allows running the hashData() signing function, it could also expose sensitive cryptographic operations, potentially compromising the integrity of signed data.

The CVSS score of 5.5 indicates a moderate risk, with the attack vector being network-based and low complexity, but requiring high privileges. There is no impact on availability, but confidentiality is highly impacted and integrity is slightly impacted.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Executive Summary

CVE-2026-27131 is a moderate severity vulnerability in the Sprig Plugin for Craft CMS, which is a reactive Twig component framework. In versions starting from 2.0.0 up to before 2.15.2 and 3.15.2, admin users and users with explicit permission to access the Sprig Playground could potentially expose sensitive information such as security keys, credentials, and other configuration data.

This vulnerability exists because the Sprig Playground remained accessible even when the Craft CMS development mode (devMode) was disabled, which should normally restrict such access. Additionally, these users could run the hashData() signing function, potentially exposing sensitive operations.

The issue was mitigated in versions 2.15.2 and 3.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled by default, although this behavior can be overridden by a new configuration setting.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized access to the Sprig Playground in Craft CMS when devMode is disabled. Detection involves verifying whether the Sprig Playground is accessible in non-development environments.

To detect this on your system, you can check the configuration settings of the Craft Sprig plugin, specifically the values of `enablePlayground` and `enablePlaygroundWhenDevModeDisabled`.

Since the vulnerability requires admin or explicit permission access, you can also audit user permissions related to Sprig Playground access.

Suggested commands or steps include:

• Inspect the Craft CMS configuration files (e.g., `config.php`) for the Sprig plugin settings related to `enablePlayground` and `enablePlaygroundWhenDevModeDisabled`.
• Check if `devMode` is disabled in the Craft CMS environment.
• Attempt to access the Sprig Playground URL in a browser or via curl/wget to see if it is accessible when `devMode` is off.
• Review user roles and permissions in Craft CMS to identify users with admin rights or explicit Sprig Playground access.
• Use network monitoring tools to detect unusual access patterns to the Sprig Playground endpoints.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should update the Craft Sprig plugin to version 3.15.2 or 2.15.2 or later, where the issue is fixed by disabling Sprig Playground access when `devMode` is disabled.

Ensure that the configuration setting `enablePlaygroundWhenDevModeDisabled` is set to `false` (which is the default) to prevent the playground from being accessible in production or non-development environments.

If you must keep the playground enabled in production for some reason, be aware that this increases risk and should be done with caution.

Additionally, review and restrict user permissions to limit access to the Sprig Playground only to trusted admin users.

Disabling or restricting access to the Sprig Playground when not needed reduces the risk of sensitive data exposure.

Useful 0 Not Useful 0