AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-gj2p-p9m4-c8gw: Craft CMS's Missing Authorization in GraphQL Address Resolver Allows Cross-Scope PII Disclosure

highvulnerability

security

Source: GitHub Advisory DatabaseMay 6, 2026CVE-2026-44010

Summary

Craft CMS has a security flaw in its GraphQL Address resolver that fails to properly filter which addresses a user can access. A GraphQL API token (a credential that grants limited access to the API) scoped to read only one user group can retrieve addresses from all user groups, exposing sensitive personal information like names, addresses, tax IDs, and organization details that should be hidden from that token.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 6, 2026

Classification

Attack SophisticationTrivial

Affected Packages

craftcms/cms@>= 4.0.0, < 4.17.12 (fixed: 4.17.12)craftcms/cms@>= 5.0.0, < 5.9.18 (fixed: 5.9.18)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-gj2p-p9m4-c8gw

First tracked: May 6, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%