CVE-2026-27128
Severity CVSS v4.0:
MEDIUM
Type:
Unavailable / Other
Publication date:
24/02/2026
Last modified:
27/02/2026
Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
4.80
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* | 4.5.0 (excluding) | 4.16.19 (excluding) |
| cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:* | 5.0.0 (excluding) | 5.8.23 (excluding) |
| cpe:2.3:a:craftcms:craft_cms:4.5.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:craftcms:craft_cms:4.5.0:rc1:*:*:*:*:*:* | ||
| cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:* | ||
| cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page