GHSA-234q-vvw3-mrfq
Craft CMS has unauthenticated activation email trigger with potential user enumeration
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
craftcms/cms🐘craftcms/cmsReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
The actionSendActivationEmail() endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pending user account by knowing or guessing the user ID. If the attacker controls the target user’s email address, they can activate the account and gain access to the system.
The vulnerability is not that anonymous access exists - there’s a legitimate use case for it. The vulnerability is that the endpoint accepts arbitrary userId parameters without verifying ownership.
Craft CMS allows public user registration. When a user registers but doesn’t receive their activation email (spam filter, typo correction, etc.), they need a way to request a resend. This is why send-activation-email is in the allowAnonymous array - it’s intentional self-service functionality.
The Security Gap
The endpoint accepts userId as the identifier:
$userId = $this->request->getRequiredBodyParam('userId');
This allows any visitor to trigger activation emails for any pending user, not just their own registration.
Background
When administrators create new user accounts in Craft CMS, users are created in a “pending” state until they activate their account via an emailed link. The actionSendActivationEmail() function sends (or resends) this activation email.
Expected Behavior: Anonymous users should only be able to resend activation emails for their own registration.
Actual Behavior:
- The endpoint is listed in
allowAnonymous- no login required (intentional for self-service) - For pending users, there is NO ownership verification
- Any unauthenticated visitor can trigger activation emails for ANY pending user by ID
Attack Scenarios
Scenario 1: Targeted Account Takeover
Prerequisites: Attacker controls target user’s email (compromised email, shared mailbox, typosquatting, etc.)
1. Admin creates a user account for [email protected]
2. User account is in PENDING state (hasn’t activated yet)
3. Attacker has compromised [email protected] (or it’s a typo of attacker’s domain)
4. Attacker discovers user ID (brute-force, GraphQL enumeration, or insider knowledge)
5. Attacker (unauthenticated) triggers: POST /actions/users/send-activation-email
6. Activation email sent to [email protected] (attacker-controlled)
7. Attacker clicks activation link, sets password
8. Attacker gains access as that user with pre-assigned permissions
Scenario 2: User ID Brute-Force Enumeration
1. Attacker iterates through user IDs (1, 2, 3, ...)
2. For each ID, the attacker calls send-activation-email
3. Response reveals user state:
- "Activation email sent." = Pending user exists
- "User not found" = No user with this ID
- "Activation emails can only be sent to inactive or pending users" = Active user exists
4. Attacker builds a map of all user IDs and their states
5. For any pending user whose email an attacker controls → account takeover
Scenario 3: GraphQL + Targeted Attack
Prerequisites: GraphQL public schema allows user queries
1. Attacker queries GraphQL: { users { id email status } }
2. Filters for pending users
3. Cross-references with emails attacker controls
4. Triggers activation for the target user
5. Account takeover
Scenario 4: Email Spam / Harassment
1. Attacker brute-forces all pending user IDs
2. Repeatedly triggers activation emails
3. Victims receive unwanted emails from the Craft site
4. Potential for:
- Reputation damage to the site
- Email deliverability issues (spam reports)
- User confusion/phishing vector
References
https://github.com/craftcms/cms/commit/c3d02d4a7246f516933f42106c0a67ce062f68d8
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | craftcms/cms | ≥ 5.0.0-RC1&&< 5.9.0-beta.2 | 5.9.0-beta.2 |
| 🐘Packagist | craftcms/cms | ≥ 4.0.0-RC1&&< 4.17.0-beta.2 | 4.17.0-beta.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for craftcms/cms. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update craftcms/cms to 5.9.0-beta.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-234q-vvw3-mrfq is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-234q-vvw3-mrfq is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-234q-vvw3-mrfq. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-234q-vvw3-mrfq in your dependencies?
O3 detects GHSA-234q-vvw3-mrfq across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.