CVE-2026-27131: Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground
(updated )
Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function.
This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behaviour using a new enablePlaygroundWhenDevModeDisabled that defaults to false.
References:
- https://github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475
- https://github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b
References
- github.com/advisories/GHSA-m59h-42jf-cphr
- github.com/putyourlightson/craft-sprig
- github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b
- github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475
- github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr
- nvd.nist.gov/vuln/detail/CVE-2026-27131
Code Behaviors & Features
Detect and mitigate CVE-2026-27131 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →