Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-j1d4-j44f-yqh9
Vulnerability ID VCID-j1d4-j44f-yqh9
Aliases CVE-2026-44010
GHSA-gj2p-p9m4-c8gw
Summary Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-862 Missing Authorization
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-44010
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-44010
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-gj2p-p9m4-c8gw
cvssv4 7.1 https://github.com/craftcms/cms
generic_textual HIGH https://github.com/craftcms/cms
cvssv4 7.1 https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
generic_textual HIGH https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
ssvc Track https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
cvssv3.1_qr HIGH https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
cvssv4 7.1 https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
generic_textual HIGH https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
ssvc Track https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
cvssv4 7.1 https://nvd.nist.gov/vuln/detail/CVE-2026-44010
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-44010
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-44010
https://nvd.nist.gov/vuln/detail/CVE-2026-44010
834b2cf61ad0dcee9b03add44ed402ebf18db128 https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
GHSA-gj2p-p9m4-c8gw https://github.com/advisories/GHSA-gj2p-p9m4-c8gw
GHSA-gj2p-p9m4-c8gw https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
No exploits are available.
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/ Found at https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-13T14:22:09Z/ Found at https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-44010
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02819
EPSS Score 0.00014
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:42:45.887515+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/44xxx/CVE-2026-44010.json 38.6.0