CVE-2026-29113
Received Received - Intake
CSRF Vulnerability in Craft CMS Preview Token Enables Unauthorized Access

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-10
Last Modified
2026-03-12
Generated
2026-05-07
AI Q&A
2026-03-10
EPSS Evaluated
2026-05-05
NVD
CVE-2026-29113
EUVD
EUVD-2026-10812
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 5.0.0 (inc) to 5.9.7 (exc)
craftcms craft_cms From 4.0.0 (inc) to 4.17.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Craft CMS versions prior to 4.17.4 and 5.9.7. It is a Cross-Site Request Forgery (CSRF) issue in the preview token endpoint located at /actions/preview/create-token.

The endpoint accepts a previewToken supplied by an attacker and does not require a POST request nor enforce a CSRF token. This allows an attacker to trick a logged-in editor into creating a preview token chosen by the attacker.

The attacker can then use this token without authentication to access previewed or unpublished content that is tied to the victim editor's authorized preview scope.


How can this vulnerability impact me? :

An attacker can exploit this vulnerability to gain unauthorized access to previewed or unpublished content within the Craft CMS environment.

This means sensitive or confidential content that is not yet published could be exposed to unauthorized parties.

The attacker achieves this by forcing a logged-in editor to mint a preview token that the attacker controls, bypassing normal authentication.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Craft CMS to version 4.17.4 or 5.9.7 or later, where the CSRF issue in the preview token endpoint is fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart