CVE-2026-44010

Sažetak

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.

Reference

https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

13-05-2026 - 16:16

Objavljeno

12-05-2026 - 21:16