HIGHCVE-2026-44010Published 2026-05-12Modified 2026-05-13CNA GitHub_M

CVE-2026-44010: Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.

CVSS v4.0: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

craftcms / cms
>= 5.0.0, < 5.9.18 · >= 4.0.0, < 4.17.12

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128

Metrics