CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-CVPC-HCCG-WMW4

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 18, 2026·6 min read·2 visits

Executive Summary (TL;DR)

Low-privileged Craft CMS Control Panel users can bypass UI restrictions and make direct HTTP requests to Formie controller endpoints to modify administrative settings and access API keys due to missing server-side authorization checks.

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Vulnerability Overview

Formie is a popular form builder plugin for the Craft CMS ecosystem, developed by Verbb. It enables administrators to construct, manage, and process complex multi-page forms, collect payments via integrations like Stripe, and forward captured data to CRM or marketing platforms. The administrative control surface exposes various sensitive capabilities, including API keys, encryption secrets, database schemas, and outbound webhook configurations.\n\nThis vulnerability, tracked as GHSA-CVPC-HCCG-WMW4, is a classic example of Broken Access Control, specifically categorized under CWE-862 (Missing Authorization). Prior to version 3.1.28, the plugin failed to enforce server-side capability checks on several backend controller actions responsible for managing these administrative settings. This deficiency left the application exposed to privilege escalation from within the authenticated environment.\n\nThe attack surface is accessible to any user who has authenticated credentials for the Craft CMS Control Panel. Even if a user account is configured with the absolute minimum set of privileges, such as a restricted content author who lacks administrative rights, that user can directly access and execute actions across fifteen distinct settings-related controllers.

Root Cause Analysis

The root cause of GHSA-CVPC-HCCG-WMW4 lies in a fundamental architectural oversight regarding security boundaries in web applications. The Formie development team implemented authorization checks primarily at the User Interface layer. The main plugin class checked if the active session user was a super administrator before rendering the Settings link in the Control Panel's sidebar menu.\n\nWhile this UI-level constraint successfully hid the settings menu from unauthorized users, it did not secure the underlying routing endpoints or controller actions. Under the Craft CMS architecture, controllers handle incoming web requests by mapping routing paths directly to controller classes and action methods. Because these controllers extended the default craft web Controller class without overriding permission checks, they inherited standard, low-privilege access rules.\n\nConsequently, the application did not perform any server-side validation to verify that the requesting user possessed administrative privileges. An attacker could bypass the UI restrictions entirely by executing structured HTTP POST or GET requests directly targeting the backend action endpoints. This lack of centralized or middleware-enforced authorization checks allowed low-privileged sessions to execute critical administrative workflows.

Code Analysis

Prior to version 3.1.28, the Formie main class restricted UI access to the settings menu using the following code path inside src/Formie.php:\n\nphp\n// src/Formie.php (Vulnerable UI Check)\nif (Craft::$app->getUser()->getIsAdmin()) {\n $nav['subnav']['settings'] = [\n 'label' => Craft::t('formie', 'Settings'),\n 'url' => 'formie/settings',\n ];\n}\n\n\nTo remediate this, the patch introduced proper function-level access control. First, a granular permission was registered inside src/Formie.php:\n\nphp\n// src/Formie.php (Patched Check)\nif (Craft::$app->getUser()->checkPermission('formie-accessSettings')) {\n $nav['subnav']['settings'] = [\n 'label' => Craft::t('formie', 'Settings'),\n 'url' => 'formie/settings',\n ];\n}\n\n\nSecond, the patch introduced a base controller SettingsAccessController.php to intercept incoming requests and systematically enforce permission checks before executing any settings actions:\n\nphp\n// src/controllers/SettingsAccessController.php (New Base Controller)\n<?php\nnamespace verbb\\formie\\controllers;\n\nuse craft\\web\\Controller;\n\nclass SettingsAccessController extends Controller\n{\n public function beforeAction($action): bool\n {\n // Explicitly require the settings permission before executing any action\n $this->requirePermission('formie-accessSettings');\n\n return parent::beforeAction($action);\n }\n}\n\n\nFifteen settings-related controllers were refactored to inherit from SettingsAccessController instead of craft\\web\\Controller, securing all associated routes. For controllers where global inheritance was not applicable, explicit action checks were implemented. For example, in IntegrationsController.php:\n\nphp\n// src/controllers/IntegrationsController.php (Patched Method Check)\nif (in_array($action->id, ['save-integration', 'reorder-integrations', 'delete-integration', 'check-connection', 'connect', 'disconnect'], true)) {\n $this->requirePermission('formie-accessSettings');\n}\n

Exploitation Methodology

To exploit this vulnerability, an attacker must first obtain valid credentials to the Craft CMS Control Panel. This initial access can be achieved through credential harvesting, social engineering, or secondary low-severity application flaws. Once logged into the Control Panel, the attacker does not need any administrative permissions to proceed.\n\nThe attacker can identify target controllers by mapping standard Formie administrative endpoints, such as formie/integrations/save-integration. Because Craft CMS routing maps these endpoints predictably, the attacker can craft an HTTP request to save, modify, or delete a third-party integration configuration. The lack of server-side validation means the controller will process the request exactly as it would for a super administrator.\n\nThe following diagram illustrates the vulnerable control flow compared to the patched, secure authorization flow:\n\nmermaid\ngraph LR\n A["Low-Privilege User"] --> B{"Direct Request to Controller Action?"}\n B -- "Yes (Pre-Patch)" --> C["Skip UI Nav Check"]\n C --> D["Execute Action in Controller"]\n D --> E["Unauthorized Config Change"]\n B -- "Yes (Post-Patch)" --> F["beforeAction Interception"]\n F --> G{"Has 'formie-accessSettings'?"}\n G -- "No" --> H["403 Forbidden Access Blocked"]\n G -- "Yes" --> I["Execute Action"]\n

Impact Assessment

The security implications of GHSA-CVPC-HCCG-WMW4 are substantial, affecting the Confidentiality, Integrity, and Availability of the host Craft CMS platform. By gaining unauthorized access to the Formie configuration panel, a low-privileged user can intercept, modify, or disable critical business processes. The base severity for this flaw is assessed at CVSS 8.8 (High) due to the combination of low attack complexity and extensive privileges granted upon success.\n\nFrom a confidentiality perspective, administrative access to Formie allows users to view sensitive third-party API credentials, such as Stripe private keys, Mailchimp integration tokens, or CRM connection secrets. This exposure allows an attacker to exfiltrate these credentials and pivot to secondary external systems, expanding the breach surface well beyond the boundaries of the CMS.\n\nFrom an integrity and availability perspective, an attacker can modify active form behaviors, hijack payment processing destinations, alter submission routing rules, or delete crucial database migration configurations. This capability can result in financial loss through direct redirect attacks, lead capture hijacking, and structural application disruption.

Remediation and Mitigation Guidance

The primary remediation path is upgrading the Formie plugin to version 3.1.28 or higher immediately. The development team has systematically secured fifteen settings-related controllers by introducing the SettingsAccessController and defining the explicit formie-accessSettings permission check. Administrators must verify that the upgrade has been successfully applied and that no cached files or dependencies prevent the new controllers from running.\n\nFollowing the upgrade, security teams must audit user roles and permission sets in the Craft CMS Control Panel. Because the patch introduces a new granular permission, formie-accessSettings, administrators should verify that this permission is strictly restricted to trusted administrative groups. No low-privileged or standard user roles should have this permission enabled.\n\nIn environments where immediate patching is not feasible, organizations can implement temporary web application firewall rules. These rules should monitor and block POST requests targeting /admin/formie/settings/* or /admin/formie/integrations/* coming from IP addresses or sessions associated with non-administrative users. However, these mitigations are brittle and should not replace a complete patch application.

Official Patches

VerbbFormie Version 3.1.28 Release Notes
VerbbFormie Code Diff Comparison 3.1.27 vs 3.1.28

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

Formie plugin for Craft CMS

Affected Versions Detail

Product
Affected Versions
Fixed Version
Formie
Verbb
< 3.1.283.1.28
AttributeDetail
CWE IDCWE-862 (Missing Authorization)
Attack VectorNetwork
CVSS v3.18.8 (High)
EPSS ScoreN/A
ImpactPrivilege Escalation and Unauthorized Configuration Modification
Exploit StatusNo public exploit available
KEV StatusNot listed

MITRE ATT&CK Mapping

T1548Abuse Elevation Control Mechanism
Privilege Escalation
T1078Valid Accounts
Initial Access
CWE-862
Missing Authorization

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

Vulnerability Timeline

Vulnerability Disclosed and Patched in Version 3.1.28
2026-06-05

References & Sources

  • [1]GitHub Security Advisory GHSA-CVPC-HCCG-WMW4
  • [2]Formie Source Code Repository

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•18 minutes ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
1 views•7 min read
•about 2 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 3 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
4 views•7 min read
•about 7 hours ago•GHSA-8QQM-FP2Q-V734
8.2

GHSA-8QQM-FP2Q-V734: Authorization Bypass in Skipper's Open Policy Agent Integration

An authorization bypass vulnerability in the Open Policy Agent (OPA) integration of the Skipper HTTP router allows unauthenticated remote attackers to bypass OPA policy inspection. When an incoming HTTP request declares a Content-Length exceeding Skipper's configured maxBodyBytes limit, Skipper bypasses body parsing and forwards an empty document to OPA, while transmitting the full, uninspected payload intact to the upstream backend.

Amit Schendel
Amit Schendel
6 views•6 min read
•about 9 hours ago•CVE-2026-53597
8.7

CVE-2026-53597: Remote Code Execution in Microsoft prompty via Insecure gray-matter Parsing

CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.

Amit Schendel
Amit Schendel
8 views•6 min read
•about 10 hours ago•GHSA-RJWR-M7QX-3FJR
8.6

GHSA-RJWR-M7QX-3FJR: Code Generation Injection in oapi-codegen

An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.

Alon Barad
Alon Barad
8 views•7 min read