CVE-2026-29069
Received Received - Intake
Unauthorized Activation Email Trigger in Craft CMS Allows Account Takeover

Publication date: 2026-03-04

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system. This vulnerability is fixed in 5.9.0-beta.2 and 4.17.0-beta.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-14
NVD
CVE-2026-29069
EUVD
EUVD-2026-9452
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 4.0.0 (exc) to 4.17.0 (exc)
craftcms craft_cms From 5.0.0 (exc) to 5.9.0 (exc)
craftcms craft_cms 4.17.0
craftcms craft_cms 5.9.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-29069 is a moderate severity vulnerability in Craft CMS affecting versions before 5.9.0-beta.2 and 4.17.0-beta.2. The issue lies in the actionSendActivationEmail() endpoint, which is accessible to unauthenticated users and does not verify ownership of pending user accounts.'}, {'type': 'paragraph', 'content': "An attacker who knows or guesses a pending user's ID can trigger activation emails for that user. If the attacker controls the target user's email address, they can activate the account, set a password, and gain unauthorized access to the system."}, {'type': 'paragraph', 'content': 'The vulnerability arises because the endpoint accepts a userId parameter without verifying that the requester owns the account, allowing arbitrary triggering of activation emails and potential account takeover.'}] [2]

Impact Analysis

This vulnerability can impact you by allowing attackers to take over pending user accounts if they control the associated email addresses.

  • Targeted Account Takeover: Attackers can activate accounts and gain unauthorized access by triggering activation emails for pending users whose email addresses they control.
  • User ID Enumeration: Attackers can brute-force or enumerate user IDs to discover user states and map user accounts.
  • GraphQL-Assisted Attacks: If public GraphQL queries expose user data, attackers can identify pending users and target them for account takeover.
  • Email Spam and Harassment: Attackers can repeatedly trigger activation emails to harass users, damage reputation, and cause email deliverability issues.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized or unusual POST requests to the actionSendActivationEmail() endpoint, especially those that include arbitrary or sequential userId parameters.'}, {'type': 'paragraph', 'content': 'Detection methods include checking server logs or web application firewall logs for repeated or suspicious activation email requests that do not originate from authenticated users.'}, {'type': 'paragraph', 'content': 'Commands to help detect this activity might include using tools like curl or wget to simulate requests, or using grep to search logs for relevant patterns.'}, {'type': 'list_item', 'content': "Example command to search web server logs for POST requests to the vulnerable endpoint: grep 'POST /actions/users/send-activation-email' /path/to/access.log"}, {'type': 'list_item', 'content': "Example command to detect repeated activation email triggers by userId: grep 'userId=' /path/to/access.log | sort | uniq -c | sort -nr"}, {'type': 'list_item', 'content': "Use curl to test if the endpoint is accessible without authentication: curl -X POST -d 'userId=1' https://your-craftcms-site.com/actions/users/send-activation-email -v"}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading Craft CMS to version 5.9.0-beta.2 or later, or 4.17.0-beta.2 or later, where the vulnerability is fixed.'}, {'type': 'paragraph', 'content': "The fix involves enforcing strict permission checks, requiring POST requests from authenticated users with the 'editUsers' permission, and removing anonymous access to the actionSendActivationEmail() endpoint."}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider implementing temporary access controls such as restricting access to the vulnerable endpoint via firewall rules or web application firewall (WAF) rules to block unauthenticated requests.'}, {'type': 'paragraph', 'content': 'Monitor and rate-limit requests to the activation email endpoint to prevent brute-force enumeration or spam attacks.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29069. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart