PatchSiren cyber security CVE debrief

CVE-2026-31266 Craft CMS CVE debrief

CVE-2026-31266 documents a Missing Authorization vulnerability in Craft CMS 5.9.5 and earlier, specifically affecting the migrate endpoint at `/actions/app/migrate`. The vulnerability was published to the CVE List on 2026-05-27 and carries a CVSS 3.1 score of 7.3 (HIGH severity), with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L indicating network-based attack with low complexity, no privileges required, and impacts to confidentiality, integrity, and availability. The weakness is classified as CWE-862 (Missing Authorization). The NVD entry currently shows a status of 'Deferred', suggesting the record may be awaiting additional analysis or vendor coordination. Multiple GitHub repositories are referenced in the source data, including the main Craft CMS repository and what appear to be proof-of-concept demonstrations. Organizations running affected Craft CMS versions should prioritize verifying their authorization controls on administrative endpoints and monitor for vendor security advisories.

Vendor: Craft CMS
Product: Craft CMS
CVSS: HIGH 7.3
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations operating Craft CMS installations, particularly those with exposed administrative interfaces or development/staging environments; security teams responsible for content management system security; web application developers using Craft CMS framework.

Technical summary

The vulnerability exists in the migrate endpoint (`/actions/app/migrate`) of Craft CMS versions 5.9.5 and earlier. The endpoint fails to properly enforce authorization checks, allowing unauthenticated or unauthorized actors to potentially trigger migration operations. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates this is network-exploitable with low attack complexity, requiring no privileges or user interaction, with limited impacts across confidentiality, integrity, and availability dimensions. The CWE-862 classification confirms this as a missing authorization control rather than an authentication bypass.

Defensive priority

HIGH

Recommended defensive actions

Verify Craft CMS version and identify any instances running 5.9.5 or earlier
Review access controls on `/actions/app/migrate` and related administrative endpoints
Monitor Craft CMS security advisories and release notes for patch availability
Implement network segmentation to limit exposure of administrative endpoints
Review web server and application logs for unauthorized access attempts to the migrate endpoint
Apply principle of least privilege to all administrative functions

Evidence notes

CVE published 2026-05-27T15:16:26.467Z; modified 2026-05-27T20:00:46.020Z. NVD status: Deferred. CVSS 3.1 vector confirms network-attackable, unauthenticated access with multi-impact potential. CWE-862 classification indicates authorization control failure.

Official resources

CVE-2026-31266 CVE record
CVE.org
CVE-2026-31266 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Source reference
[email protected]
Source reference
134c704f-9b21-4f2e-91b3-4a467353bcc0

2026-05-27