CVE-2026-33159
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
描述
### Summary Guest users can access Config Sync updater `index`, obtain signed `data`, and execute state-changing Config Sync actions (`regenerate-yaml`, `apply-yaml-changes`) without authentication. ### Details `ConfigSyncController` extends `BaseUpdaterController`, and the base updater is anonymously accessible for control panel requests. `index` emits signed updater state (`data`), which can be reused by guests in subsequent requests. Sensitive actions that are reachable via this method are `actionApplyYamlChanges`, `actionRegenerateYaml`, `applyExternalChanges`, and `regenerateExternalConfig`. #### Reproduction steps 1. Guest POST to: http POST /admin/actions/config-sync/index 2. Extract data from returned JS state: Craft.updater = ... setState({"data":"<signedData>", ...}); 3. Reuse data as a guest: ``` POST /admin/actions/config-sync/regenerate-yaml data=<signedData>&<csrfParam>=<csrfToken> ``` or ``` POST /admin/actions/config-sync/apply-yaml-changes data=<signedData>&<csrfParam>=<csrfToken> ``` 4. Observe completed response and state/file changes. ### Impact Unauthenticated users can execute project configuration sync operations that should be restricted to trusted admin/deployment contexts. Depending on the pending YAML/config state, this can cause unauthorized config state transitions and a service integrity risk. ### Resources https://github.com/craftcms/cms/commit/7f0ead833f7
如何修補 CVE-2026-33159
要修補 CVE-2026-33159,請將受影響套件升級到下列已修補版本。
- —升級至 5.9.14 或更新版本
CVE-2026-33159 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 5.0.0-RC1, < 5.9.14