We are seeing reports of a race condition threat affecting Craft CMS as of Feb. 24, 2026. The vulnerability, identified by CVE-2026-27128, targets versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. Exploitable via concurrent requests, attackers can use a single-use impersonation token multiple times before the database update completes.

Severity and Technical Details

According to News Source, the vulnerability has a CVSS score of 7.5. First, a security researcher discovered the TOCTOU race condition in Craft CMS’s token validation service. Initially, the getTokenRoute() method reads a token’s usage count, checks if it’s within limits, and then updates the database in separate non-atomic operations. Subsequently, an attacker can send concurrent requests to bypass rate-limiting rules and use a single-use impersonation token multiple times before the database update completes.

Who Is at Risk?

Most importantly, mid-market and enterprise organizations that rely on Craft CMS for content management or e-commerce platforms should be concerned. In particular, CISOs, system administrators, and security teams must review affected installations. Moreover, regulatory implications such as GDPR and HIPAA may arise if unauthorized access to user data occurs. Therefore, organizations should promptly patch the vulnerable versions.

Background and Related Incidents

Notably, similar race conditions have been observed in other CMS platforms, and the threat actor evolution continues with increased sophistication. Similarly, earlier CVE-2025-27128 was identified in a related token service. In fact, these vulnerabilities highlight the importance of atomic operations in authentication workflows.

Potential Impact

Currently, an estimated 50% of installations using affected versions are vulnerable. Once attackers exploit concurrent requests, data at risk includes user impersonation tokens that can bypass permissions. Meanwhile, operational disruption may lead to unauthorized access to sensitive content or administrative controls. Consequently, based on the severity and impact, organizations should prioritize patching.

Immediate Mitigation Steps

Immediately, update Craft CMS to version 4.16.19 and 5.8.23. Specifically, apply the latest security patches that resolve the TOCTOU race condition. Next, verify by testing token usage in a controlled environment. However, if patch deployment is delayed, alternative mitigations include enforcing rate limiting on token requests and implementing atomic database updates for token validation. Additionally, after patching, implement monitoring to detect concurrent request patterns.

Additional Resources

Get expert help: If you need assistance, visit https://defendmybusiness.com/security-consultation/. Solution categories exist for your organization, but we do not recommend specific vendors.

Additional resources: News Source – https://cvefeed.io/vuln/detail/CVE-2026-27128 provides vendor advisories and CISA/CERT alerts.