CVE-2026-29113: Craft CMS has a potential information disclosure vulnerability in preview tokens

March 10, 2026

Craft CMS has a CSRF issue in the preview token endpoint at /actions/preview/create-token. The endpoint accepts an attacker-supplied previewToken.

Because the action does not require POST and does not enforce a CSRF token, an attacker can force a logged-in victim editor to mint a preview token chosen by the attacker.

That token can then be used by the attacker (without authentication) to access previewed/unpublished content tied to the victim’s authorized preview scope.

References

github.com/advisories/GHSA-vg3j-hpm9-8v5v
github.com/craftcms/cms
github.com/craftcms/cms/commit/6a88468dc35a27cccc8fef254f415a447d4a07cc
github.com/craftcms/cms/security/advisories/GHSA-vg3j-hpm9-8v5v
nvd.nist.gov/vuln/detail/CVE-2026-29113

Code Behaviors & Features

Detect and mitigate CVE-2026-29113 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →