Craft CMS GraphQL Address Resolver Authorization Vulnerability Allows Cross-Scope PII Disclosure

A vulnerability exists in Craft CMS versions 4.0.0 prior to 4.17.12 and 5.0.0 through 5.9.17, where the GraphQL Address element resolver lacks proper schema scope filtering on top-level queries. This flaw allows a GraphQL API token assigned to a low-privilege user group to access all addresses in the system, including those belonging to users in groups the token is not authorized to access. The exposed information includes personal identifiable information (PII) such as full names, addresses, organizations, and tax IDs. The issue arises because the Address resolver does not apply the same scope filtering as other resolvers, creating a significant gap in the authorization model.

Impact

Exploitation of this vulnerability allows for unauthorized access to all user addresses in the system, including sensitive PII, regardless of the token's user group scope. Additionally, the vulnerability enables targeted extraction of addresses belonging to specific users, including high-value individuals such as administrators, by using their owner IDs.

Reproduction

To reproduce this vulnerability, obtain a GraphQL API token with read access to a low-privilege user group. Then, use this token to query the 'addresses' endpoint. The response will include all addresses in the system, including those from users in groups not authorized by the token.

Remediation

Users can update to Craft CMS versions 4.17.12 or 5.9.18, where this vulnerability has been fixed.