CVE-2026-44010— Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-44010
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Craft CMS: Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure
Source: NVD (National Vulnerability Database)
Vulnerability Description
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制缺失
Source: NVD (National Vulnerability Database)
Vulnerability Title
Craft CMS 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Craft CMS是Craft CMS开源的一套内容管理系统(CMS)。 Craft CMS 4.0.0至4.17.12之前版本和5.9.18之前版本存在安全漏洞,该漏洞源于GraphQL地址元素解析器未对顶级查询执行模式范围过滤,可能导致低权限用户组令牌读取系统内所有地址,包括未授权访问的用户组地址,暴露个人信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-44010
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-44010
请登录查看更多情报信息。
- https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gwx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-44010
Same Patch Batch · craftcms · 2026-05-12 · 3 CVEs total
| CVE-2026-44011 | Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior | |
| CVE-2026-44012 | Craft CMS: Missing Volume Permission Check in AssetsController::actionShowInFolder Allows |
IV. Related Vulnerabilities
Same product: cms
- CVE-2026-44306
Statamic: Email enumeration via forgot password endpoint - CVE-2026-44011
Craft CMS: Potential authenticated Remote Code Execution via - CVE-2026-44012
Craft CMS: Missing Volume Permission Check in AssetsControll - CVE-2026-7508
Bootstrap CMS Page Creation show.blade.php code injection - CVE-2026-7317
Grav CMS Cache Value FileCache.php doGet deserialization
Same vendor: craftcms
- CVE-2026-44011
Craft CMS: Potential authenticated Remote Code Execution via - CVE-2026-44012
Craft CMS: Missing Volume Permission Check in AssetsControll - CVE-2026-41130
Craft CMS has a host header injection leading to SSRF via re - CVE-2026-41129
Craft CMS has Server-Side Request Forgery (SSRF) with Asset - CVE-2026-41128
Craft CMS has a Missing Authorization Check on User Group Re
Same weakness: CWE-862
- CVE-2026-45667
Open WebUI: Unauthenticated endpoint can trigger embedding g - CVE-2026-44571
Open WebUI: Improper Authorization in Standard Channels Allo - CVE-2026-45350
Open WebUI: Chat completion API allows tool restrictions to - CVE-2026-44569
Open WebUI: Insecure Message Access Breaks Authorization - CVE-2026-44550
Open WebUI: Mass Assignment via Pydantic extra='allow' Allow
V. Comments for CVE-2026-44010
No comments yet