Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope...

7.1 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Description

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.

Basic Information

ID CVE-2026-44010

Source GitHub_M

Published May 12, 2026 at 20:17

Affected Product

Vendor craftcms

Product cms

Version >= 5.0.0, < 5.9.18

Affected Versions craftcms cms >= 5.0.0, < 5.9.18
craftcms cms >= 4.0.0, < 4.17.12

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.",
    "published": "2026-05-12T20:17:31.220Z",
    "modified": "2026-05-12T20:17:31.220Z",
    "type": "cve",
    "title": "Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw\nhttps://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128",
    "id": "CVE-2026-44010",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms >= 5.0.0, < 5.9.18\ncraftcms cms >= 4.0.0, < 4.17.12",
    "sourceHref": "",
    "cvss": {
        "score": 7.1,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 5.0.0, < 5.9.18",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure_CVE-2026-44010