Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit

Description

A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The getTokenRoute() method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.

To make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.

For this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.

References

https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-02-23 22:16:22 UTC
Updated
2026-02-24 16:08:49 UTC
GitHub reviewed
2026-02-23 22:16:22 UTC
NVD published
2026-02-23

EPSS Score

Score Percentile
0.01% 0.61%

CVSS Scores

Base score Version Severity Vector
6.9 4.0
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network.
Attack complexity (AC:H)
Exploitation depends on constrained or hard-to-reproduce conditions.
Attack requirements (AT:P)
Additional preconditions must be present for exploitation.
Privileges required (PR:H)
High privileges are required.
User interaction (UI:N)
No user interaction is required.
Vulnerable system confidentiality impact (VC:H)
High confidentiality impact on the vulnerable system.
Vulnerable system integrity impact (VI:N)
No integrity impact on the vulnerable system.
Vulnerable system availability impact (VA:N)
No availability impact on the vulnerable system.
Subsequent system confidentiality impact (SC:H)
High confidentiality impact on subsequent systems.
Subsequent system integrity impact (SI:N)
No integrity impact on subsequent systems.
Subsequent system availability impact (SA:N)
No availability impact on subsequent systems.

Identifiers

CWEs

CWE id Name
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Credits

  • vitalysim (reporter)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
composer craftcms/cms >= 4.5.0-RC1, <= 4.16.18 4.16.19
composer craftcms/cms >= 5.0.0-RC1, <= 5.8.22 5.8.23

References

cvelogic Threat Intelligence