DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-29069: CVE-2026-29069: Unauthenticated Activation Email Trigger in Craft CMS

#security #cve #cybersecurity

CVE-2026-29069: Unauthenticated Activation Email Trigger in Craft CMS

Vulnerability ID: CVE-2026-29069
CVSS Score: 6.9
Published: 2026-03-04

A security vulnerability in Craft CMS allows unauthenticated remote attackers to trigger activation emails for pending user accounts. This flaw stems from an improper access control configuration in the UsersController, permitting anonymous access to the actionSendActivationEmail endpoint. Exploitation facilitates user enumeration and potential phishing campaigns by allowing attackers to verify the existence of user IDs and spam registered email addresses.

TL;DR

Unauthenticated attackers can trigger activation emails for arbitrary user IDs in Craft CMS versions prior to 5.9.0-beta.2 and 4.17.0-beta.2. This exposes user enumeration vectors and potential spam risks.

Technical Details

  • CWE ID: CWE-639
  • CVSS v4.0: 6.9 (Medium)
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • Exploit Status: None / No Known Exploit

Affected Systems

  • Craft CMS 5.x < 5.9.0-beta.2
  • Craft CMS 4.x < 4.17.0-beta.2
  • Craft CMS: >= 5.0.0-RC1, < 5.9.0-beta.2 (Fixed in: 5.9.0-beta.2)
  • Craft CMS: >= 4.0.0-RC1, < 4.17.0-beta.2 (Fixed in: 4.17.0-beta.2)

Code Analysis

Commit: c3d02d4

Fixed unauthenticated access to actionSendActivationEmail

Mitigation Strategies

  • Update Craft CMS to the latest stable version.
  • Restrict access to administrative action routes via WAF rules.
  • Monitor logs for repeated requests to the users/send-activation-email endpoint.

Remediation Steps:

  1. Identify the current running version of Craft CMS.
  2. If running Craft 5, update immediately to version 5.9.0-beta.2 or later.
  3. If running Craft 4, update immediately to version 4.17.0-beta.2 or later.
  4. Verify the update by checking the composer.lock file or the Craft Control Panel footer.
  5. Review server access logs for POST requests to *actions/users/send-activation-email originating from unauthenticated IP addresses.

References

Read the full report for CVE-2026-29069 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)