Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure — CVE-2026-44010
GitHub · GitHub · CVE-2026-44010
ID
CVE-2026-44010
CVE-2026-44010
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
high
high
CVSS
7.1
7.1
EPSS
0.00038
0.00038
Summary
### Summary The GraphQL Address element resolver (src/gql/resolvers/elements/Address.php) performs no schema scope filtering on top-level queries. A GraphQL API token scoped to a single low-privilege user group can read every address in the system, including addresses belonging to users in groups the token has no authorization to access. This exposes PII, including full names, addresses, organizations, tax IDs,…
Product
composer: craftcms/cms
What to do
General, cautious steps (verify details in the official source):
- Prioritize patching or mitigation immediately (treat as actively risky).
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.