Can you explain this vulnerability to me?

CVE-2026-32267 is a high-severity privilege escalation vulnerability in Craft CMS affecting versions from 4.0.0-RC1 to before 4.17.6 and 5.0.0-RC1 to before 5.9.12. It allows a low-privilege or unauthenticated user who has a valid preview token to escalate their privileges to admin by abusing the UsersController->actionImpersonateWithToken method.

The vulnerability arises because the impersonation endpoint improperly validates tokens and disables certain security checks, allowing any valid token from any route to be used for impersonation. Specifically, the requireToken() guard only checks if a token was presented but does not verify if the token is intended for the impersonation action. Additionally, the actionImpersonateWithToken method is accessible anonymously and performs no further authorization.

An attacker can easily obtain a preview token by creating and previewing any article, then use that token with specially crafted URL parameters to impersonate the admin user without authentication.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts as it allows an attacker with minimal privileges or even no authentication to escalate their privileges to an administrator level within Craft CMS.

An attacker can gain full admin access, allowing them to control the CMS, modify content, change configurations, access sensitive data, and potentially compromise the entire website or application running on Craft CMS.

This can lead to unauthorized data access, data manipulation, service disruption, and further exploitation of the underlying system.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or unauthorized use of preview tokens in URLs, especially those containing parameters like action=users/impersonate-with-token, userId=1, and prevUserId=1 which indicate attempts to escalate privileges via the impersonation endpoint.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts on your system, you can search your web server logs for requests containing these suspicious parameters combined with preview tokens.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find requests with the impersonation action and token usage, for example:'}, {'type': 'list_item', 'content': "grep -i 'action=users/impersonate-with-token' /path/to/access.log"}, {'type': 'list_item', 'content': "grep -i 'token=' /path/to/access.log | grep 'userId=1'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for requests that bypass normal authentication flows or that include preview tokens in unexpected contexts can help identify exploitation attempts.'}] [2]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate and most effective mitigation step is to upgrade Craft CMS to a patched version: 4.17.6 or later for the 4.x branch, or 5.9.12 or later for the 5.x branch.

Until the update can be applied, consider restricting access to the preview token functionality or the impersonation endpoint by implementing additional access controls or network-level restrictions.

Review and monitor token usage to ensure tokens are not reused beyond their intended scope, and invalidate any suspicious or shared preview tokens.

Apply the security patch that enhances token validation, usage tracking, and enforces strict token-route binding to prevent privilege escalation.

Useful 0 Not Useful 0