CVE-2026-29069: Unauthenticated Activation Email Trigger in Craft CMS

Craft CMS contains an improper access control vulnerability within its user management module. The affected component, UsersController, handles administrative actions related to user accounts, including the dispatch of activation emails for pending registrations. In affected versions, the specific action responsible for this task (actionSendActivationEmail) is inadvertently exposed to unauthenticated users via the public web interface.

By sending a crafted HTTP request to the application, a remote attacker can force the system to generate and send an activation email to the email address associated with a specific user ID. This occurs without requiring administrative privileges or a valid session. While the attacker cannot directly intercept the email or modify its destination, this behavior leaks information about the existence of user accounts and abuses the server's trust relationship with its email provider.

The vulnerability is classified as an Authorization Bypass Through User-Controlled Key (CWE-639). The root cause lies in the configuration of the allowAnonymousConfig property within src/controllers/UsersController.php. Craft CMS uses this property to explicitly whitelist actions that should be accessible without a session, such as login or password reset requests.

Prior to the patch, the send-activation-email action was included in this whitelist. Consequently, the application's request handling pipeline skipped standard authentication and authorization checks for this specific route. The controller method actionSendActivationEmail accepted a userId parameter from the POST body and immediately proceeded to process the activation logic, assuming the caller was authorized simply because the route was publicly exposed.

The vulnerability is evident in the comparison between the vulnerable controller configuration and the patched version. In the vulnerable code, the allowAnonymousConfig array acts as an explicit bypass for authentication filters.

Vulnerable Code (src/controllers/UsersController.php):

public $allowAnonymousConfig = [
    // ... other actions ...
    // CRITICAL: Explicitly allowing anonymous access
    'send-activation-email' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE,
];
 
public function actionSendActivationEmail(): ?Response
{
    // Only checks for POST method, no permission checks
    $this->requirePostRequest();
    $userId = $this->request->getRequiredBodyParam('userId');
    // ... triggers email sending logic ...
}

Patched Code:

The fix involves removing the action from the anonymous whitelist and implementing strict access controls. The developer introduced a userActionChecks method that enforces administrative privileges.

// Action removed from $allowAnonymousConfig
 
public function actionSendActivationEmail(): ?Response
{
    // NEW: Enforce strict checks before processing
    $this->userActionChecks();
    $userId = $this->request->getRequiredBodyParam('userId');
    // ...
}
 
private function userActionChecks(): void
{
    // 1. Require Pro edition
    Craft::$app->requireEdition(Craft::Pro);
    // 2. Require POST method
    $this->requirePostRequest();
    // 3. Require request to originate from Control Panel
    $this->requireCpRequest();
    // 4. Require specific administrative permission
    $this->requirePermission('editUsers');
}

Exploitation requires no authentication. An attacker sends a POST request to the action URL, typically /index.php with a query parameter routing to the controller action (e.g., ?p=admin/actions/users/send-activation-email or just actions/users/send-activation-email), or via the friendly URL if configured.

Attack Steps:

1. Reconnaissance: The attacker identifies a target Craft CMS installation.
2. Request Construction: The attacker constructs a POST request containing a userId parameter. The ID is typically an integer.
3. Enumeration: The attacker iterates through sequential userId values (e.g., 1, 2, 3...).
   • If the user exists and is in a 'pending' state, the server returns a success response, and an email is dispatched.
   • If the user does not exist, the server returns a standard 404 or specific error message.
4. Analysis: By analyzing the HTTP response codes or timing differences, the attacker builds a list of valid user IDs. This confirms which ID slots are occupied, facilitating further targeted attacks.

The primary impact of CVE-2026-29069 is Information Disclosure (User Enumeration) and abuse of functionality. While the CVSS v4.0 score is Medium (6.9), the implications for enterprise environments are significant.

Consequences:

• User Enumeration: Attackers can map out the number of users and valid IDs on the system. This data is valuable for brute-force attacks or social engineering.
• Email Spam/Harassment: An attacker can trigger thousands of activation emails to legitimate users, causing confusion, eroding trust in the platform, or potentially damaging the domain's email reputation.
• Phishing Facilitation: By triggering an official email from the platform at a specific time, an attacker might trick a user into clicking a link, believing it is a legitimate administrative request, potentially leading to credential theft if the user is then redirected to a spoofed login page.