Executive Summary

CVE-2026-28696 is a critical Insecure Direct Object Reference (IDOR) vulnerability in the Craft CMS package affecting the GraphQL directive @parseRefs. This directive is designed to parse internal reference tags (e.g., {user:1:email}) but lacks proper authorization checks. As a result, both authenticated users and unauthenticated guests (if the Public Schema is enabled) can access sensitive attributes of any CMS element without permission.

The vulnerability arises because the Elements::parseRefs method fetches referenced elements and accesses their attributes directly without enforcing canView() permission checks. This allows attackers to read data they are not authorized to view, including user data, private entries, assets, and custom fields.

Attackers can exploit this by enumerating sensitive administrator or user attributes such as email, photoId, username, and admin status. They can also trigger server errors that leak internal server stack traces and file system paths. Unauthenticated exploitation is possible if the Public Schema is enabled, allowing data leakage without authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized access to Personally Identifiable Information (PII) such as usernames, emails, and administrator status. Attackers can escalate privileges and leak sensitive user and system data.

It can also lead to server-side information disclosure through error messages that reveal internal paths and stack traces, potentially aiding further attacks.

If the Public Schema is enabled, unauthenticated attackers can exploit this vulnerability to bypass authentication and access confidential content, private entries, and assets that should be restricted.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the GraphQL @parseRefs directive to access sensitive data without proper authorization. Specifically, you can send crafted GraphQL POST requests querying entries with the @parseRefs directive to see if sensitive attributes such as usernames or emails are exposed.'}, {'type': 'paragraph', 'content': 'A practical detection method involves creating a GraphQL query that includes internal reference tags (e.g., {user:1:email}) in fields like entry titles and observing if the response reveals unauthorized data or causes server errors exposing internal paths.'}, {'type': 'paragraph', 'content': 'Example command using curl to test the vulnerability (replace URL and payload accordingly):'}, {'type': 'list_item', 'content': 'curl -X POST https://your-craftcms-site.com/graphql -H "Content-Type: application/json" -d \'{"query":"{ entries { title @parseRefs } }"}\''}, {'type': 'paragraph', 'content': 'If the response contains sensitive user data or internal server error traces, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Craft CMS to version 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the vulnerability is fixed by enforcing authorization checks in the Elements::parseRefs method.

Additionally, you can disable or make the @parseRefs GraphQL directive optional in your GraphQL schemas to prevent unauthorized data exposure.

Specifically, from Craft CMS version 4.16.17 onwards, the @parseRefs directive can be disabled per schema via the UI by unchecking the directive in the GraphQL schema settings, reducing the attack surface.

If you have enabled the Public Schema, consider disabling it or restricting its permissions to prevent unauthenticated exploitation.

Useful 0 Not Useful 0