CVE-2026-29113 in Craft
Summary
by MITRE • 03/10/2026
Craft is a content management system (CMS). Prior to 4.17.4 and 5.9.7, Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. This vulnerability is fixed in 4.17.4 and 5.9.7.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability identified as CVE-2026-29113 affects Craft CMS versions prior to 4.17.4 and 5.9.7, representing a critical cross-site request forgery weakness in the preview token endpoint. This flaw exists within the /actions/preview/create-token endpoint which processes preview tokens without proper validation mechanisms. The vulnerability stems from the endpoint's acceptance of attacker-supplied previewToken parameters while simultaneously lacking mandatory POST method enforcement and CSRF token verification requirements. This design flaw creates a significant security risk where authenticated users can be exploited through social engineering or malicious website interactions to generate preview tokens under attacker control.
The technical implementation of this vulnerability exploits the absence of proper request validation and authentication checks within the Craft CMS framework. When a logged-in user visits a malicious website or clicks on a crafted link, the attacker can leverage the vulnerable endpoint to force the user's browser to make requests that generate preview tokens. The endpoint's lack of CSRF protection means that any valid session can be exploited to create tokens that remain within the scope of the victim's authorization privileges. This allows attackers to access unpublished content that would normally be restricted to authorized editors, effectively bypassing the content management system's access controls.
The operational impact of this vulnerability extends beyond simple information disclosure, as it enables attackers to gain unauthorized access to previewed content that may contain sensitive business information, unpublished marketing materials, or confidential editorial content. The vulnerability affects all authenticated users within the CMS who have preview capabilities, potentially exposing large volumes of unpublished content that has not yet been made publicly available. This represents a significant risk for organizations that rely on Craft CMS for content management, particularly those handling sensitive data or preparing content for public release. The attack vector is particularly dangerous because it requires no authentication credentials from the attacker, relying instead on the victim's existing session and browser behavior.
Security mitigations for this vulnerability involve upgrading to Craft CMS versions 4.17.4 or 5.9.7 where the CSRF protection has been properly implemented. Organizations should immediately assess their current CMS versions and implement the necessary updates to prevent exploitation. Additional defensive measures include implementing proper input validation, enforcing CSRF tokens for all state-changing operations, and ensuring that preview token generation requires proper authentication verification. The vulnerability aligns with CWE-352, which specifically addresses cross-site request forgery weaknesses, and represents a clear violation of the principle of least privilege in web application security. From an ATT&CK framework perspective, this vulnerability maps to T1566, specifically the technique of social engineering through malicious website content, and T1078, related to valid accounts and legitimate credentials usage for unauthorized access.