CVE-2026-14794
Received Received - Intake

Improper Authorization in Craft CMS

Vulnerability report for CVE-2026-14794, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A flaw has been found in Craft CMS up to 4.18.0.1. Affected by this vulnerability is the function actionGetNewUsersData of the file src/controllers/ChartsController.php of the component Charts Endpoint. This manipulation of the argument userGroupId causes improper authorization. The attack is possible to be carried out remotely. Upgrading to version 4.18.1 addresses this issue. Patch name: 9ee53efc1314e6aba32771c66a13e072a246f4ce. It is suggested to upgrade the affected component.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
craftcms craft_cms to 4.18.0.1|start_including=4.18.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass flaw in Craft CMS versions up to 4.18.0.1. It affects the function actionGetNewUsersData in the ChartsController.php file of the Charts Endpoint component. The issue arises from improper authorization due to manipulation of the userGroupId argument, allowing attackers to remotely access certain element index actions without proper permissions.

The vulnerability was fixed by adding a check to require a Control Panel (CP) request before executing the affected method, preventing unauthorized access.

Impact Analysis

This vulnerability can allow an attacker to bypass authorization controls and gain unauthorized access to certain data or actions within the Craft CMS application, specifically related to user data in the Charts Endpoint.

Such unauthorized access could lead to exposure of sensitive user information or manipulation of user-related data, potentially compromising the security and privacy of the affected system.

Detection Guidance

This vulnerability involves an authorization bypass in the actionGetNewUsersData function of the ChartsController.php file in Craft CMS. Detection would involve monitoring for unauthorized access attempts to this specific endpoint or function.

Since the vulnerability is related to improper authorization checks on the Charts Endpoint, you can look for unusual or unauthorized requests to this endpoint in your web server logs.

Suggested commands to detect potential exploitation attempts include:

  • Using grep to search web server logs for requests to the ChartsController or actionGetNewUsersData endpoint, e.g., `grep 'ChartsController.php' /var/log/apache2/access.log` or `grep 'actionGetNewUsersData' /var/log/nginx/access.log`.
  • Using network monitoring tools like tcpdump or Wireshark to capture and analyze HTTP requests targeting the vulnerable endpoint.
  • Checking application logs for unauthorized access or errors related to the Charts Endpoint.
Mitigation Strategies

The primary and recommended mitigation step is to upgrade Craft CMS to version 4.18.1 or later, as this version includes the patch that fixes the authorization bypass vulnerability.

The patch adds a check requiring a Control Panel (CP) request before executing the vulnerable function, preventing unauthorized access.

Until the upgrade can be applied, restrict access to the Charts Endpoint to trusted users or IP addresses if possible, to reduce the risk of exploitation.

Compliance Impact

This vulnerability involves an authorization bypass in Craft CMS that could allow unauthorized access to certain user data via the Charts Endpoint. Such unauthorized access to user data can potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

By allowing improper authorization, the flaw increases the risk of exposing personal data to unauthorized parties, which may violate principles of data confidentiality and access control mandated by these standards.

Upgrading to version 4.18.1, which includes a patch requiring Control Panel requests for the affected function, mitigates this risk and helps maintain compliance by enforcing proper authorization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14794. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart