CVE-2026-33159: Craft CMS: Unauthenticated Users Can Perform Restricted Project Config Sync Operations
(updated )
Guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication.
References
- github.com/advisories/GHSA-6mrr-q3pj-h53w
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/7f0ead833f7c2b91ae12003caad833479dd08592
- github.com/craftcms/cms/releases/tag/4.17.8
- github.com/craftcms/cms/releases/tag/5.9.14
- github.com/craftcms/cms/security/advisories/GHSA-6mrr-q3pj-h53w
- nvd.nist.gov/vuln/detail/CVE-2026-33159
Code Behaviors & Features
Detect and mitigate CVE-2026-33159 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →