CVE-2026-29069

CVE-2026-29069 is a high-severity improper authentication vulnerability in craftcms/cms (composer), affecting versions >= 5.0.0-RC1, < 5.9.0-beta.2. It is fixed in 5.9.0-beta.2, 4.17.0-beta.2.

Does this CVE actually affect you?

Kodem shows which CVEs are reachable and running in your applications, so you fix what's exploitable, not just what's listed.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Runtime intelligence, not another scanner.

Summary

Craft CMS has unauthenticated activation email trigger with potential user enumeration

The actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.

The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary userId parameters without verifying ownership.

Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why send-activation-email is in the allowAnonymous array - it’s intentional self-service functionality.

The Security Gap

The endpoint accepts userId as the identifier:

$userId = $this->request->getRequiredBodyParam('userId');

This allows any visitor to trigger activation emails for any pending user, not just their own registration.

Background

When administrators create new user accounts in Craft CMS, users are created in a “pending” state until they activate their account via an emailed link. The actionSendActivationEmail() function sends (or resends) this activation email.

Expected Behavior: Anonymous users should only be able to resend activation emails for their own registration.

Actual Behavior:

  1. The endpoint is listed in allowAnonymous - no login required (intentional for self-service)
  2. For pending users, there is NO ownership verification
  3. Any unauthenticated visitor can trigger activation emails for ANY pending user by ID

Attack Scenarios

Scenario 1: Targeted Account Takeover

Prerequisites: Attacker controls target user’s email (compromised email, shared mailbox, typosquatting, etc.)

1. Admin creates a user account for [email protected]
2. User account is in PENDING state (hasn’t activated yet)
3. Attacker has compromised [email protected] (or it’s a typo of attacker’s domain)
4. Attacker discovers user ID (brute-force, GraphQL enumeration, or insider knowledge)
5. Attacker (unauthenticated) triggers: POST /actions/users/send-activation-email
6. Activation email sent to [email protected] (attacker-controlled)
7. Attacker clicks activation link, sets password
8. Attacker gains access as that user with pre-assigned permissions

Scenario 2: User ID Brute-Force Enumeration

1. Attacker iterates through user IDs (1, 2, 3, ...)
2. For each ID, the attacker calls send-activation-email
3. Response reveals user state:
   - "Activation email sent." = Pending user exists
   - "User not found" = No user with this ID
   - "Activation emails can only be sent to inactive or pending users" = Active user exists
4. Attacker builds a map of all user IDs and their states
5. For any pending user whose email an attacker controls → account takeover

Scenario 3: GraphQL + Targeted Attack

Prerequisites: GraphQL public schema allows user queries

1. Attacker queries GraphQL: { users { id email status } }
2. Filters for pending users
3. Cross-references with emails attacker controls
4. Triggers activation for the target user
5. Account takeover

Scenario 4: Email Spam / Harassment

1. Attacker brute-forces all pending user IDs
2. Repeatedly triggers activation emails
3. Victims receive unwanted emails from the Craft site
4. Potential for:
   - Reputation damage to the site
   - Email deliverability issues (spam reports)
   - User confusion/phishing vector

References

https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8

Impact

The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.

Affected versions

craftcms/cms (>= 5.0.0-RC1, < 5.9.0-beta.2) craftcms/cms (>= 4.0.0-RC1, < 4.17.0-beta.2)

Security releases

craftcms/cms → 5.9.0-beta.2 (composer) craftcms/cms → 4.17.0-beta.2 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

Already deployed Kodem?

See it in your environmentNew to Kodem? Get a demo →

Remediation advice

Upgrade the following packages to resolve this vulnerability:

craftcms/cms to 5.9.0-beta.2 or later; craftcms/cms to 4.17.0-beta.2 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-29069? CVE-2026-29069 is a high-severity improper authentication vulnerability in craftcms/cms (composer), affecting versions >= 5.0.0-RC1, < 5.9.0-beta.2. It is fixed in 5.9.0-beta.2, 4.17.0-beta.2. The application does not adequately verify the identity of a user, device, or process before granting access.
  2. Which versions of craftcms/cms are affected by CVE-2026-29069? craftcms/cms (composer) versions >= 5.0.0-RC1, < 5.9.0-beta.2 is affected.
  3. Is there a fix for CVE-2026-29069? Yes. CVE-2026-29069 is fixed in 5.9.0-beta.2, 4.17.0-beta.2. Upgrade to this version or later.
  4. Is CVE-2026-29069 exploitable, and should I be worried? Whether CVE-2026-29069 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  5. What actually determines whether CVE-2026-29069 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  6. How do I fix CVE-2026-29069?
    • Upgrade craftcms/cms to 5.9.0-beta.2 or later
    • Upgrade craftcms/cms to 4.17.0-beta.2 or later

Other vulnerabilities in craftcms/cms

Stop the waste.
Protect your environment with Kodem.