CVE-2026-33159
Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
Description
### Summary Guest users can access Config Sync updater `index`, obtain signed `data`, and execute state-changing Config Sync actions (`regenerate-yaml`, `apply-yaml-changes`) without authentication. ### Details `ConfigSyncController` extends `BaseUpdaterController`, and the base updater is anonymously accessible for control panel requests. `index` emits signed updater state (`data`), which can be reused by guests in subsequent requests. Sensitive actions that are reachable via this method are `actionApplyYamlChanges`, `actionRegenerateYaml`, `applyExternalChanges`, and `regenerateExternalConfig`. #### Reproduction steps 1. Guest POST to: http POST /admin/actions/config-sync/index 2. Extract data from returned JS state: Craft.updater = ... setState({"data":"<signedData>", ...}); 3. Reuse data as a guest: ``` POST /admin/actions/config-sync/regenerate-yaml data=<signedData>&<csrfParam>=<csrfToken> ``` or ``` POST /admin/actions/config-sync/apply-yaml-changes data=<signedData>&<csrfParam>=<csrfToken> ``` 4. Observe completed response and state/file changes. ### Impact Unauthenticated users can execute project configuration sync operations that should be restricted to trusted admin/deployment contexts. Depending on the pending YAML/config state, this can cause unauthorized config state transitions and a service integrity risk. ### Resources https://github.com/craftcms/cms/commit/7f0ead833f7
How to fix CVE-2026-33159
To remediate CVE-2026-33159, upgrade the affected package to a fixed version below.
- —upgrade to 5.9.14 or later
Is CVE-2026-33159 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 5.0.0-RC1, < 5.9.14