CVE-2026-27128— Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit

Craft CMS's race condition in Token Service potentially allows for token usage greater than the token limit

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes. To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place. For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user. Versions 4.16.19 and 5.8.23 patch the issue.

N/A

检查时间与使用时间(TOCTOU)的竞争条件

Craft CMS 安全漏洞

Craft CMS是Craft CMS开源的一套内容管理系统（CMS）。 Craft CMS 4.5.0-RC1版本至4.16.18版本和5.0.0-RC1版本至5.8.22版本存在安全漏洞，该漏洞源于令牌验证服务存在TOCTOU竞争条件，可能导致单次使用令牌被多次使用。

N/A

N/A