CVE-2026-29113
Craft CMS has a potential information disclosure vulnerability in preview tokens
Description
# Summary Craft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`. The endpoint accepts an attacker-supplied `previewToken`. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. --- ## Preconditions - Victim is logged in to Craft control panel. - Victim has active preview authorization in session for target content (e.g., opened/edited an entry). - The attacker must know the target’s `canonicalId` and public URL path of that entry. ## 1) Attacker prepares a fixed token Use any 32-character value, for example: ```text aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ``` ## 2) CSRF victim into minting that token Send the victim a link (or top-level redirect) such as: ```text https://TARGET/actions/preview/create-token?elementType=craft%5Celements%5CEntry&canonicalId=123&siteId=1&previewToken=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&redirect=https%3A%2F%2FTARGET%2F ``` If the victim is logged in and authorized for `previewElement:123`, Craft creates that exact token. ## 3) Attacker accesses preview content unauthenticated ```bash curl -i 'https://TARGET/news/known-entry-slug?token=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' ``` Expected vulnerable behavior: - Response renders preview/unpublished state (draft/provisional context), not just normal public content. --- # Impact - CSRF-based minting of attacker-known preview tokens. - Unauthorized access to draft/provisional/revision content via token replay. - Stealthy one-click exploitation against logged-in editors/admins. - No dependency on forwarded-host poisoning. ---
How to fix CVE-2026-29113
To remediate CVE-2026-29113, upgrade the affected package to a fixed version below.
- —upgrade to 4.17.4 or later
Is CVE-2026-29113 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.