Submit #850793: Craftcms CMS 5.10.1 Improper Access Controlsinfo

TitleCraftcms CMS 5.10.1 Improper Access Controls
DescriptionCharts Endpoint Exposes User Registration Data Without viewUsers Permission The `get-new-users-data` action in `ChartsController` returns user registration counts over a caller-supplied date range without checking whether the requesting user has the `viewUsers` permission. Any authenticated CP user, regardless of their assigned permissions, can query this endpoint and learn how many accounts were created on each day, optionally broken down by user group. ### Details `ChartsController::actionGetNewUsersData` accepts a date range and an optional `userGroupId`, queries the `users` table for registration counts, and returns the result as JSON. The method performs no permission check beyond requiring an authenticated CP session: ```php // vendor/craftcms/cms/src/controllers/ChartsController.php public function actionGetNewUsersData(): Response { $userGroupId = $this->request->getBodyParam('userGroupId'); $startDateParam = $this->request->getRequiredBodyParam('startDate'); $endDateParam = $this->request->getRequiredBodyParam('endDate'); // ... date parsing ... $query = (new Query()) ->from(['users' => Table::USERS]); if ($userGroupId) { $query->innerJoin(['usergroups_users' => Table::USERGROUPS_USERS], ...); $query->where(['usergroups_users.groupId' => $userGroupId]); } $dataTable = ChartHelper::getRunChartDataFromQuery($query, $startDate, $endDate, 'users.dateCreated', 'count', '*', [...]); return $this->asJson([ 'dataTable' => $dataTable, 'total' => $total, ... ]); } ``` The `UsersController` correctly gates access to user listing with `requirePermission('viewUsers')`. `ChartsController` does not. A user with an empty permission set -- no `viewUsers`, no `editUsers`, no admin rights -- can reach this endpoint and receive registration trend data by day, and optionally per user group. The response discloses: per-day new-user counts for any date range, total new user count for the requested period, and when a `userGroupId` is supplied, group-specific registration counts.
Source⚠️ https://github.com/craftcms/cms/commit/9ee53efc1314e6aba32771c66a13e072a246f4ce
User
 geochen (UID 78995)
Submission06/07/2026 05:29 (29 days ago)
Moderation07/05/2026 20:29 (29 days later)
StatusAccepted
VulDB entry376388 [Craft CMS up to 4.18.0.1 Charts Endpoint ChartsController.php actionGetNewUsersData userGroupId improper authorization]
Points20

Want to know what is going to be exploited?

We predict KEV entries!