The GraphQL directive @parseRefs, intended to parse internal reference tags (e.g., {user:1:email}), can be abused by both authenticated users and unauthenticated guests (if a Public Schema is enabled) to access sensitive attributes of any element in the CMS. The implementation in Elements::parseRefs fails to perform authorization checks, allowing attackers to read data they are not authorized to view.
craft\services\Elements::parseRefs identifies reference tags and resolves them using _getRefTokenReplacement. This method fetches the referenced element and accesses the specified attribute via $element->$attribute.
canView() checks.getElementTypeByRefHandle allows referencing any element type (entry, asset, user, category).__get() to resolve custom field handles, an attacker is not limited to core attributes. They can exfiltrate any custom field data by enumerating the field handle (e.g. {entry:123:privateNotes}).An attacker can enumerate sensitive attributes of administrators or other users.
{user:1:email} or {user:1:photoId}The vulnerability allows reflecting any accessible property of the underlying Element model.
{user:1:username} (Confirmed: returns admin), {user:1:admin}.{user:1:authKey}) exposes full server stack traces in the GraphQL error response (e.g., Exception: No user session token exists with paths like /var/www/html/...).The vulnerability is not limited to Users. Reference tags can target any element type.
{entry:456:myConfidentialField} (Bypasses canView checks).4.17.0-beta.15.9.0-beta.1Exploitability
AV:NAC:LAT:NPR:NUI:NVulnerable System
VC:HVI:NVA:NSubsequent System
SC:NSI:NSA:N8.7/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N