The Exploit Is One Line
CVE-2026-32267 is a privilege escalation vulnerability in Craft CMS with a CVSS score of 7.7. The attack requires a valid preview token — which any editor-level user can generate by creating a draft post and clicking 'Preview.' The attacker then appends &action=users/impersonate-with-token&userId=1&prevUserId=1 to the preview URL. The server processes this as an impersonation request and logs the attacker in as user ID 1 — typically the site administrator.
The vulnerability exists because Craft CMS does not validate what action a preview token is authorized to perform. A token generated for the benign action of previewing a blog post can be reused for the privileged action of impersonating another user. The token proves that the requester is authenticated — but it does not restrict what they can do with that authentication. This is a design flaw, not an implementation bug.
Why This Matters Beyond Craft CMS
Craft CMS is a developer-focused CMS used by agencies and brands that specifically chose it over WordPress for its cleaner architecture and better developer experience. It is not a legacy platform. It uses modern PHP (Yii2 framework), has a structured content model, and is deployed by technically sophisticated teams. And yet the vulnerability is a fundamental authentication design error — the kind that automated security scanning might miss because the individual components (token generation, impersonation endpoint) each work correctly. The flaw is in their interaction.
This pattern — modern platform, sophisticated users, fundamental design flaw — reinforces a consistent finding in WebPulse's data: moving to a 'better' CMS does not automatically mean better security. Ghost CMS (Node.js) was compromised by a CVSS 9.4 SQL injection this month. Craft CMS (modern PHP) has a privilege escalation via URL parameter. The framework generation matters less than the specific security decisions made during its design.
The Fix
Craft CMS patched the vulnerability in versions 4.17.6 and 5.9.12. The fix validates that preview tokens can only be used for their intended action. Organizations running affected versions should update immediately — the exploit requires only editor-level access, and any CMS with multiple users likely has editor accounts. The attack is simple enough that it does not require security expertise to execute.
