LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-32267

CVE-2026-32267 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 17, 2026

Craft CMS - Privilege Escalation

Published: March 16, 2026Updated: March 17, 2026PoC AvailableRemote Exploitable

Overview

Craft CMS 4.0.0-RC1 to <4.17.6 and 5.0.0-RC1 to <5.9.12 contain a privilege escalation caused by abuse of UsersController->actionImpersonateWithToken, letting low-privilege or unauthenticated users escalate to admin, exploit requires a shared URL or low-privilege access.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 1.7%(Probability of exploitation in next 30 days)

Impact

Attackers can escalate privileges to admin, gaining full control over the CMS.

Mitigation

Update to versions 4.17.6 or 5.9.12 or later.

References

Social Media Activity(2 posts)

Offensive Sequence
Offensive Sequence
@offseq
Mar 17, 2026

🚨 CRITICAL: CVE-2026-32267 in Craft CMS (4.x <4.17.6, 5.x <5.9.12) — incorrect auth allows privilege escalation to admin via shared URLs. Upgrade ASAP! Details: https://radar.offseq.com/threat/cve-2026-32267-cwe-863-incorrect-authorization-in--65bf3522 #OffSeq #CraftCMS #CVE202632267 #Vulnerability

View original post
Offensive Sequence
Offensive Sequence
@offseq
Mar 17, 2026

🚨 CRITICAL: CVE-2026-32267 in Craft CMS (4.x <4.17.6, 5.x <5.9.12) — incorrect auth allows privilege escalation to admin via shared URLs. Upgrade ASAP! Details: https://radar.offseq.com/threat/cve-2026-32267-cwe-863-incorrect-authorization-in--65bf3522 #OffSeq #CraftCMS #CVE202632267 #Vulnerability

View original post

Related Resources

Details

CVE ID
CVE-2026-32267
Severity
Critical
CVSS Score
9.8
Type
broken_access_control
Status
confirmed
EPSS
1.7%
Social Posts
2

CWE

  • CWE-863

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

1.7%Probability of exploitation in the next 30 days