CVE-2026-44010
HIGHCraft CMS 4.0.0 to before 4.17.12 and 5.0.0 to before 5.9.18 - GraphQL Address PII Disclosure
Title source: manualDescription
Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, the GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc. This vulnerability is fixed in 4.17.12 and 5.9.18.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
X_Refsource_Misc x_refsource_misc
https://github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
Scores
CVSS v4
7.1
EPSS
0.0034
EPSS Percentile
25.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (4)
craftcms/cms
4.0.0 - 4.17.12Packagist
craftcms/cms
5.0.0 - 5.9.18Packagist
craftcms/cms
>= 4.0.0, < 4.17.12
craftcms/cms
>= 5.0.0, < 5.9.18
Published
May 12, 2026
Tracked Since
May 13, 2026