GHSA-7x43-mpfg-r9wj

Suggest an improvement
Source
https://github.com/advisories/GHSA-7x43-mpfg-r9wj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7x43-mpfg-r9wj/GHSA-7x43-mpfg-r9wj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-7x43-mpfg-r9wj
Aliases
Published
2026-03-03T20:38:55Z
Modified
2026-03-04T18:48:33.368678Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Craft CMS has IDOR via GraphQL @parseRefs
Details

The GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view.

Vulnerability Details

craft\services\Elements::parseRefs identifies reference tags and resolves them using _getRefTokenReplacement. This method fetches the referenced element and accesses the specified attribute via $element->$attribute.

  • Missing Auth Check: It bypasses canView() checks.
  • Polymorphic Access: getElementTypeByRefHandle allows referencing any element type (entry, asset, user, category).
  • Custom Field Access: Since Craft elements use __get() to resolve custom field handles, an attacker is not limited to core attributes. They can exfiltrate any custom field data by enumerating the field handle (e.g. {entry:123:privateNotes}).

Attack Vectors

  1. Privilege Escalation / User Data Leak

An attacker can enumerate sensitive attributes of administrators or other users.

  • Payload: {user:1:email} or {user:1:photoId}
  1. Arbitrary Property Reflection & Server-Side Logic Execution

The vulnerability allows reflecting any accessible property of the underlying Element model.

  • Username/Admin Enumeration: {user:1:username} (Confirmed: returns admin), {user:1:admin}.
  • Internal Path Disclosure: Accessing methods that trigger errors (e.g., {user:1:authKey}) exposes full server stack traces in the GraphQL error response (e.g., Exception: No user session token exists with paths like /var/www/html/...).
  1. IDOR on Private Entries & Assets (Polymorphism)

The vulnerability is not limited to Users. Reference tags can target any element type.

  • Payload: {entry:456:myConfidentialField} (Bypasses canView checks).
  • Asset Path Leakage: {volume:1:path} can expose internal file system paths.
  1. Unauthenticated Exploitation (Public Schema)

Confirmed locally. The @parseRefs directive is active in the Public Schema. By injecting a payload into a public-facing field (e.g., a "News" entry title), an unauthenticated guest can trigger the resolution and retrieve the sensitive output.

Steps to Reproduce

  1. Setup (Admin Panel):
  • Create a Section (e.g., "News") and an Entry Type.
  • Create a new Entry in that section. Set the Title to the payload: {user:1:username} or {user:1:email}.
  • Go to GraphQL > Schemas > Public Schema. Enable it, and ensure "Query for elements in the Site" and "News" section queries are checked.
  1. Execute Exploit (Unauthenticated):
  • Send a POST request to http://localhost:8000/index.php?action=graphql/api: 
    curl -X POST \
-H "Content-Type: application/json" \
-d '{"query": "{ entries { title @parseRefs } }"}'
  1. Observation:
  • The API returns {"data":{"entries":[{"title":"admin"}]}} (or the email).
  • Using {user:1:authKey} triggers an internal server error that leaks the full server path in string format.

Impact

  • Critical Information Disclosure: Full PII enumeration (emails, usernames).
  • System Information Leakage: Absolute server paths via stack traces.
  • Authentication Bypass: Guest accounts can effectively query the database as the system user.

Recommended Fix

Modify Elements::parseRefs to enforce canView permissions on the resolved element before extracting attributes.

References

https://github.com/craftcms/cms/commit/4d98a07e47580f1712095825d3e3c4d67bc9f8b9

Database specific 
{
    "github_reviewed": true,
    "severity": "HIGH",
    "nvd_published_at": "2026-03-04T17:16:21Z",
    "cwe_ids": [
        "CWE-639",
        "CWE-862"
    ],
    "github_reviewed_at": "2026-03-03T20:38:55Z"
}
References

Affected packages

Packagist / craftcms/cms

Package

Name
craftcms/cms
Purl
pkg:composer/craftcms/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0-RC1
Fixed
4.17.0-beta.1

Affected versions

4.*
4.0.0-RC1
4.0.0-RC2
4.0.0-RC3
4.0.0
4.0.0.1
4.0.1
4.0.2
4.0.3
4.0.4
4.0.5
4.0.5.1
4.0.5.2
4.0.6
4.1.0
4.1.0.1
4.1.0.2
4.1.1
4.1.2
4.1.3
4.1.4
4.1.4.1
4.2.0
4.2.0.1
4.2.0.2
4.2.1
4.2.1.1
4.2.2
4.2.3
4.2.4
4.2.5
4.2.5.1
4.2.5.2
4.2.6
4.2.7
4.2.8
4.3.0
4.3.1
4.3.2
4.3.2.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.6.1
4.3.7
4.3.7.1
4.3.8
4.3.8.1
4.3.8.2
4.3.9
4.3.10
4.3.11
4.4.0-beta.1
4.4.0-beta.2
4.4.0-beta.3
4.4.0-beta.4
4.4.0-beta.5
4.4.0-beta.6
4.4.0-beta.7
4.4.0
4.4.1
4.4.2
4.4.3
4.4.4
4.4.5
4.4.6
4.4.6.1
4.4.7
4.4.7.1
4.4.8
4.4.9
4.4.10
4.4.10.1
4.4.11
4.4.12
4.4.13
4.4.14
4.4.15
4.4.16
4.4.16.1
4.4.17
4.5.0-beta.1
4.5.0-beta.2
4.5.0
4.5.1
4.5.2
4.5.3
4.5.4
4.5.5
4.5.6
4.5.6.1
4.5.7
4.5.8
4.5.9
4.5.10
4.5.11
4.5.11.1
4.5.12
4.5.13
4.5.14
4.5.15
4.6.0-RC1
4.6.0
4.6.1
4.7.0
4.7.1
4.7.2
4.7.2.1
4.7.3
4.7.4
4.8.0
4.8.1
4.8.2
4.8.3
4.8.4
4.8.5
4.8.6
4.8.7
4.8.8
4.8.9
4.8.10
4.8.11
4.9.0
4.9.1
4.9.2
4.9.3
4.9.4
4.9.5
4.9.6
4.9.7
4.10.0-beta.1
4.10.0-beta.2
4.10.0
4.10.1
4.10.2
4.10.3
4.10.4
4.10.5
4.10.6
4.10.7
4.10.8
4.11.0
4.11.0.1
4.11.0.2
4.11.1
4.11.2
4.11.3
4.11.4
4.11.5
4.12.0
4.12.1
4.12.2
4.12.3
4.12.4
4.12.4.1
4.12.5
4.12.6
4.12.6.1
4.12.7
4.12.8
4.12.9
4.13.0
4.13.1
4.13.1.1
4.13.2
4.13.3
4.13.4
4.13.5
4.13.6
4.13.7
4.13.8
4.13.9
4.13.10
4.14.0
4.14.0.1
4.14.0.2
4.14.1
4.14.2
4.14.3
4.14.4
4.14.5
4.14.6
4.14.7
4.14.8
4.14.8.1
4.14.9
4.14.10
4.14.11
4.14.11.1
4.14.12
4.14.13
4.14.14
4.14.15
4.15.0-beta.1
4.15.0-beta.2
4.15.0
4.15.0.1
4.15.0.2
4.15.1
4.15.2
4.15.3
4.15.4
4.15.5
4.15.6
4.15.6.1
4.15.6.2
4.15.7
4.16.0
4.16.1
4.16.2
4.16.3
4.16.4
4.16.5
4.16.6
4.16.6.1
4.16.7
4.16.8
4.16.9
4.16.9.1
4.16.10
4.16.11
4.16.12
4.16.13
4.16.14
4.16.15
4.16.16
4.16.17
4.16.18
4.16.19

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7x43-mpfg-r9wj/GHSA-7x43-mpfg-r9wj.json"

Packagist / craftcms/cms

Package

Name
craftcms/cms
Purl
pkg:composer/craftcms/cms

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0.0-RC1
Fixed
5.9.0-beta.1

Affected versions

5.*
5.0.0-RC1
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6
5.1.0
5.1.1
5.1.2
5.1.3
5.1.4
5.1.5
5.1.6
5.1.7
5.1.8
5.1.9
5.1.10
5.2.0-beta.1
5.2.0-beta.2
5.2.0-beta.3
5.2.0-beta.4
5.2.0-beta.5
5.2.0-beta.6
5.2.0
5.2.1
5.2.2
5.2.3
5.2.4
5.2.4.1
5.2.5
5.2.6
5.2.7
5.2.8
5.2.9
5.2.10
5.3.0-beta.1
5.3.0-beta.2
5.3.0
5.3.0.1
5.3.0.2
5.3.0.3
5.3.1
5.3.2
5.3.3
5.3.4
5.3.5
5.3.6
5.4.0
5.4.0.1
5.4.1
5.4.2
5.4.3
5.4.4
5.4.5
5.4.5.1
5.4.6
5.4.7
5.4.7.1
5.4.8
5.4.9
5.4.10
5.4.10.1
5.5.0
5.5.0.1
5.5.1
5.5.1.1
5.5.2
5.5.3
5.5.4
5.5.5
5.5.6
5.5.6.1
5.5.7
5.5.8
5.5.9
5.5.10
5.6.0
5.6.0.1
5.6.0.2
5.6.1
5.6.2
5.6.3
5.6.4
5.6.5
5.6.5.1
5.6.6
5.6.7
5.6.8
5.6.9
5.6.9.1
5.6.10
5.6.10.1
5.6.10.2
5.6.11
5.6.12
5.6.13
5.6.14
5.6.15
5.6.16
5.6.17
5.7.0-beta.1
5.7.0-beta.2
5.7.0
5.7.1
5.7.1.1
5.7.2
5.7.3
5.7.4
5.7.5
5.7.6
5.7.7
5.7.8
5.7.8.1
5.7.8.2
5.7.9
5.7.10
5.7.11
5.8.0
5.8.1
5.8.2
5.8.3
5.8.4
5.8.5
5.8.6
5.8.7
5.8.8
5.8.9
5.8.10
5.8.11
5.8.12
5.8.13
5.8.13.1
5.8.13.2
5.8.14
5.8.15
5.8.16
5.8.17
5.8.18
5.8.19
5.8.20
5.8.21
5.8.22
5.8.23

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-7x43-mpfg-r9wj/GHSA-7x43-mpfg-r9wj.json"