CVE-2026-29113

Received Received - Intake

CSRF Vulnerability in Craft CMS Preview Token Enables Unauthorized Access

Publication date: 2026-03-10

Last updated on: 2026-03-12

Assigner: GitHub, Inc.

Description

Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-10

Last Modified

2026-03-12

Generated

2026-06-16

AI Q&A

2026-03-10

EPSS Evaluated

2026-06-15

NVD

CVE-2026-29113

EUVD

EUVD-2026-10812

Affected Vendors & Products

Vendor	Product	Version / Range
craftcms	craft_cms	From 5.0.0 (inc) to 5.9.7 (exc)
craftcms	craft_cms	From 4.0.0 (inc) to 4.17.4 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-352	The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

Executive Summary

This vulnerability exists in Craft CMS versions prior to 4.17.4 and 5.9.7. It is a Cross-Site Request Forgery (CSRF) issue in the preview token endpoint located at /actions/preview/create-token.

The endpoint accepts a previewToken supplied by an attacker and does not require a POST request nor enforce a CSRF token. This allows an attacker to trick a logged-in editor into creating a preview token chosen by the attacker.

The attacker can then use this token without authentication to access previewed or unpublished content that is tied to the victim editor's authorized preview scope.

Impact Analysis

An attacker can exploit this vulnerability to gain unauthorized access to previewed or unpublished content within the Craft CMS environment.

This means sensitive or confidential content that is not yet published could be exposed to unauthorized parties.

The attacker achieves this by forcing a logged-in editor to mint a preview token that the attacker controls, bypassing normal authentication.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft CMS to version 4.17.4 or 5.9.7 or later, where the CSRF issue in the preview token endpoint is fixed.

Hi! I’m here to help you understand CVE-2026-29113. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-29113

CSRF Vulnerability in Craft CMS Preview Token Enables Unauthorized Access

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart