CVE-2026-29113

描述

# Summary Craft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`. The endpoint accepts an attacker-supplied `previewToken`. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. --- ## Preconditions - Victim is logged in to Craft control panel. - Victim has active preview authorization in session for target content (e.g., opened/edited an entry). - The attacker must know the target’s `canonicalId` and public URL path of that entry. ## 1) Attacker prepares a fixed token Use any 32-character value, for example: ```text aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ``` ## 2) CSRF victim into minting that token Send the victim a link (or top-level redirect) such as: ```text https://TARGET/actions/preview/create-token?elementType=craft%5Celements%5CEntry&canonicalId=123&siteId=1&previewToken=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&redirect=https%3A%2F%2FTARGET%2F ``` If the victim is logged in and authorized for `previewElement:123`, Craft creates that exact token. ## 3) Attacker accesses preview content unauthenticated ```bash curl -i 'https://TARGET/news/known-entry-slug?token=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' ``` Expected vulnerable behavior: - Response renders preview/unpublished state (draft/provisional context), not just normal public content. --- # Impact - CSRF-based minting of attacker-known preview tokens. - Unauthorized access to draft/provisional/revision content via token replay. - Stealthy one-click exploitation against logged-in editors/admins. - No dependency on forwarded-host poisoning. ---

如何修補 CVE-2026-29113

要修補 CVE-2026-29113,請將受影響套件升級到下列已修補版本。

• —升級至 4.17.4 或更新版本

CVE-2026-29113 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)