CVE-2026-44010: Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure

May 6, 2026

The GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs, etc.

References

github.com/advisories/GHSA-gj2p-p9m4-c8gw
github.com/craftcms/cms
github.com/craftcms/cms/commit/834b2cf61ad0dcee9b03add44ed402ebf18db128
github.com/craftcms/cms/security/advisories/GHSA-gj2p-p9m4-c8gw
nvd.nist.gov/vuln/detail/CVE-2026-44010

Code Behaviors & Features

Detect and mitigate CVE-2026-44010 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →