CVE-2026-27131: Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground
Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function.
This issue was mitigated in versions 3.15.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behaviour using a new enablePlaygroundWhenDevModeDisabled that defaults to false.
References
- github.com/advisories/GHSA-m59h-42jf-cphr
- github.com/putyourlightson/craft-sprig
- github.com/putyourlightson/craft-sprig/commit/09c9da2ffb45a8857829f3390ae2578e26cfe03b
- github.com/putyourlightson/craft-sprig/commit/db18c46f6dc5603828aa321a3a615adbd677d475
- github.com/putyourlightson/craft-sprig/security/advisories/GHSA-m59h-42jf-cphr
- nvd.nist.gov/vuln/detail/CVE-2026-27131
Code Behaviors & Features
Detect and mitigate CVE-2026-27131 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →