Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-eaxm-rjr7-xudb
Vulnerability ID VCID-eaxm-rjr7-xudb
Aliases CVE-2026-33159
GHSA-6mrr-q3pj-h53w
Summary Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations ### Summary Guest users can access Config Sync updater `index`, obtain signed `data`, and execute state-changing Config Sync actions (`regenerate-yaml`, `apply-yaml-changes`) without authentication. ### Details `ConfigSyncController` extends `BaseUpdaterController`, and the base updater is anonymously accessible for control panel requests. `index` emits signed updater state (`data`), which can be reused by guests in subsequent requests. Sensitive actions that are reachable via this method are `actionApplyYamlChanges`, `actionRegenerateYaml`, `applyExternalChanges`, and `regenerateExternalConfig`. #### Reproduction steps 1. Guest POST to: http POST /admin/actions/config-sync/index 2. Extract data from returned JS state: Craft.updater = ... setState({"data":"<signedData>", ...}); 3. Reuse data as a guest: ``` POST /admin/actions/config-sync/regenerate-yaml data=<signedData>&<csrfParam>=<csrfToken> ``` or ``` POST /admin/actions/config-sync/apply-yaml-changes data=<signedData>&<csrfParam>=<csrfToken> ``` 4. Observe completed response and state/file changes. ### Impact Unauthenticated users can execute project configuration sync operations that should be restricted to trusted admin/deployment contexts. Depending on the pending YAML/config state, this can cause unauthorized config state transitions and a service integrity risk. ### Resources https://github.com/craftcms/cms/commit/7f0ead833f7
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-306 Missing Authentication for Critical Function
CWE-862 Missing Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2026-33159
cvssv4 6.9 https://github.com/craftcms/cms
generic_textual MODERATE https://github.com/craftcms/cms
cvssv4 6.9 https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
generic_textual MODERATE https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
ssvc Track https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
cvssv4 6.9 https://github.com/craftcms/cms/releases/tag/4.17.8
generic_textual MODERATE https://github.com/craftcms/cms/releases/tag/4.17.8
ssvc Track https://github.com/craftcms/cms/releases/tag/4.17.8
cvssv4 6.9 https://github.com/craftcms/cms/releases/tag/5.9.14
generic_textual MODERATE https://github.com/craftcms/cms/releases/tag/5.9.14
ssvc Track https://github.com/craftcms/cms/releases/tag/5.9.14
cvssv4 6.9 https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
generic_textual MODERATE https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
cvssv4 6.9 https://nvd.nist.gov/vuln/detail/CVE-2026-33159
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-33159
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-33159
https://github.com/craftcms/cms
https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
https://github.com/craftcms/cms/releases/tag/4.17.8
https://github.com/craftcms/cms/releases/tag/5.9.14
https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
https://nvd.nist.gov/vuln/detail/CVE-2026-33159
GHSA-6mrr-q3pj-h53w https://github.com/advisories/GHSA-6mrr-q3pj-h53w
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/ Found at https://github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/releases/tag/4.17.8
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/ Found at https://github.com/craftcms/cms/releases/tag/4.17.8
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/releases/tag/5.9.14
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/ Found at https://github.com/craftcms/cms/releases/tag/5.9.14
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-03-24T17:57:07Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-33159
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.06623
EPSS Score 0.00023
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T16:58:06.376698+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-6mrr-q3pj-h53w/GHSA-6mrr-q3pj-h53w.json 38.6.0