CVE-2026-29113

EPSS 0.01%

Craft CMS has a potential information disclosure vulnerability in preview tokens

Published: 3/10/2026Modified: 3/13/2026

Description

# Summary Craft CMS has a CSRF issue in the preview token endpoint at `/actions/preview/create-token`. The endpoint accepts an attacker-supplied `previewToken`. Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker. That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope. --- ## Preconditions - Victim is logged in to Craft control panel. - Victim has active preview authorization in session for target content (e.g., opened/edited an entry). - The attacker must know the target’s `canonicalId` and public URL path of that entry. ## 1) Attacker prepares a fixed token Use any 32-character value, for example: ```text aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ``` ## 2) CSRF victim into minting that token Send the victim a link (or top-level redirect) such as: ```text https://TARGET/actions/preview/create-token?elementType=craft%5Celements%5CEntry&canonicalId=123&siteId=1&previewToken=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa&redirect=https%3A%2F%2FTARGET%2F ``` If the victim is logged in and authorized for `previewElement:123`, Craft creates that exact token. ## 3) Attacker accesses preview content unauthenticated ```bash curl -i 'https://TARGET/news/known-entry-slug?token=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' ``` Expected vulnerable behavior: - Response renders preview/unpublished state (draft/provisional context), not just normal public content. --- # Impact - CSRF-based minting of attacker-known preview tokens. - Unauthorized access to draft/provisional/revision content via token replay. - Stealthy one-click exploitation against logged-in editors/admins. - No dependency on forwarded-host poisoning. ---

Affected packages (1)

Packagist/craftcms/cms>= 4.0.0-RC1, < 4.17.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Description

Affected packages (1)

CVSS scores

References (4)