Craft CMS Authorization Bypass Through User-Controlled Key Vulnerability - CVE-2026-28696

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1 the GraphQL directive parseRefs intended to parse internal reference tags (e.g. user:1:email) can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks allowing attackers to read data they are not authorized to view. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.