| Title | Craftcms CMS 5.10.1 Improper Access Controls |
|---|
| Description | Charts Endpoint Exposes User Registration Data Without viewUsers Permission
The `get-new-users-data` action in `ChartsController` returns user registration counts over a caller-supplied date range without checking whether the requesting user has the `viewUsers` permission. Any authenticated CP user, regardless of their assigned permissions, can query this endpoint and learn how many accounts were created on each day, optionally broken down by user group.
### Details
`ChartsController::actionGetNewUsersData` accepts a date range and an optional `userGroupId`, queries the `users` table for registration counts, and returns the result as JSON. The method performs no permission check beyond requiring an authenticated CP session:
```php
// vendor/craftcms/cms/src/controllers/ChartsController.php
public function actionGetNewUsersData(): Response
{
$userGroupId = $this->request->getBodyParam('userGroupId');
$startDateParam = $this->request->getRequiredBodyParam('startDate');
$endDateParam = $this->request->getRequiredBodyParam('endDate');
// ... date parsing ...
$query = (new Query())
->from(['users' => Table::USERS]);
if ($userGroupId) {
$query->innerJoin(['usergroups_users' => Table::USERGROUPS_USERS], ...);
$query->where(['usergroups_users.groupId' => $userGroupId]);
}
$dataTable = ChartHelper::getRunChartDataFromQuery($query, $startDate, $endDate, 'users.dateCreated', 'count', '*', [...]);
return $this->asJson([
'dataTable' => $dataTable,
'total' => $total,
...
]);
}
```
The `UsersController` correctly gates access to user listing with `requirePermission('viewUsers')`. `ChartsController` does not. A user with an empty permission set -- no `viewUsers`, no `editUsers`, no admin rights -- can reach this endpoint and receive registration trend data by day, and optionally per user group.
The response discloses: per-day new-user counts for any date range, total new user count for the requested period, and when a `userGroupId` is supplied, group-specific registration counts. |
|---|
| Source | ⚠️ https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce |
|---|
| User | geochen (UID 78995) |
|---|
| Submission | 06/07/2026 05:29 (29 days ago) |
|---|
| Moderation | 07/05/2026 20:29 (29 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 376388 [Craft CMS up to 4.18.0.1 Charts Endpoint ChartsController.php actionGetNewUsersData userGroupId improper authorization] |
|---|
| Points | 20 |
|---|