Craft CMS User Activation Email Trigger Vulnerability Allowing Account Takeover

A vulnerability in Craft CMS versions 4.0.0-RC1 prior to 4.17.0-beta.2 and 5.0.0-RC1 prior to 5.9.0-beta.2 allows unauthenticated users to access the actionSendActivationEmail() endpoint without permission checks for pending users. This oversight enables an attacker to send activation emails for any pending user account by guessing the user ID. If the attacker controls the target user's email, they can activate the account and gain access to the system.

Impact

Exploitation of this vulnerability could lead to unauthorized account activation and access, allowing attackers to log in as the targeted user with their assigned permissions.

Reproduction

To reproduce this vulnerability, an unauthenticated user can send a POST request to the /actions/users/send-activation-email endpoint with a userId parameter corresponding to a pending user account. The request will be processed without any ownership verification, allowing the attacker to trigger an activation email to be sent to the user's email address.

Remediation

Users can update to Craft CMS versions 5.9.0-beta.2 or 4.17.0-beta.2, where this vulnerability has been fixed.