Executive Summary

CVE-2026-33159 is a vulnerability in Craft CMS versions from 4.0.0-RC1 up to before 4.17.8 and from 5.0.0-RC1 up to before 5.9.14 that allows unauthenticated guest users to access and perform configuration synchronization actions that should be restricted.

Specifically, guest users can access the Config Sync updater index endpoint, obtain signed state data, and execute state-changing actions such as regenerating YAML configuration files and applying YAML changes without any authentication.

This happens because the ConfigSyncController inherits from a controller that allows anonymous access, and the index action exposes signed updater state data that guests can reuse to perform unauthorized configuration changes.

The vulnerability is linked to missing authentication and authorization controls for critical functions, classified under CWE-306 and CWE-862.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated users to perform unauthorized configuration changes on a Craft CMS installation.

Such unauthorized state-changing actions can compromise the integrity of the CMS configuration, potentially leading to service disruption, unexpected behavior, or exposure of sensitive configuration data.

Because these actions can be performed without authentication, attackers do not need valid credentials, increasing the risk of exploitation.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if unauthenticated users can access the Config Sync updater index and perform state-changing Config Sync actions without authentication.'}, {'type': 'paragraph', 'content': 'One way to detect this is by sending a POST request as a guest user to the endpoint `/admin/actions/config-sync/index` and observing if signed updater state data is returned.'}, {'type': 'paragraph', 'content': 'If signed data is accessible, further POST requests can be attempted to `/admin/actions/config-sync/regenerate-yaml` or `/admin/actions/config-sync/apply-yaml-changes` endpoints using the extracted signed data and CSRF tokens to verify if state-changing actions can be executed without authentication.'}, {'type': 'paragraph', 'content': 'Example commands using curl might include:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-craftcms-site/admin/actions/config-sync/index'}, {'type': 'list_item', 'content': 'Extract the signed data from the response JavaScript state (look for `Craft.updater = ...setState({"data":"<signedData>"})`).'}, {'type': 'list_item', 'content': 'Use the signed data in a POST request to `/admin/actions/config-sync/regenerate-yaml` or `/admin/actions/config-sync/apply-yaml-changes` to test if the action is allowed without authentication.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Craft CMS to a patched version where this vulnerability is fixed.

Specifically, update to version 4.17.8 or later if you are using the 4.x series, or version 5.9.14 or later if you are using the 5.x series.

The patch enforces access control by disallowing anonymous access to the Config Sync controller and requiring administrative privileges for these actions.

Until the update can be applied, consider restricting access to the `/admin/actions/config-sync/*` endpoints via network controls or web server rules to prevent unauthenticated access.

Useful 0 Not Useful 0