Listen to this Post
How the CVE works
The Sprig Playground is a development tool bundled with the Sprig plugin for Craft CMS. It provides an interactive UI to test Sprig components, but it also unintentionally exposes backend functionality when accessed by users with administrative privileges or explicit permission. In vulnerable versions (3.0.0–3.15.1 and 2.0.0–2.15.1), the Playground endpoint allowed authenticated users to invoke internal methods such as hashData(), which can be abused to leak the application’s security key, database credentials, and other sensitive configuration variables. The issue stems from insufficient access control combined with the Playground’s ability to evaluate or display server‑side values. By default, the Playground remains accessible even when `devMode` is disabled, meaning it could be reached in production environments by users who were not meant to have such visibility. The lack of proper input sanitization further enables the disclosure of environment variables and secrets through specially crafted requests. Attackers with valid admin accounts or users explicitly granted Sprig Playground permissions could retrieve these secrets, potentially leading to full system compromise. The vulnerability is considered moderate because it requires authenticated access, but its impact is severe due to the sensitivity of exposed data.
dailycve form
Platform: Craft CMS
Version: <3.15.2,<2.15.2
Vulnerability : Information Disclosure
Severity: Moderate
date: Mar 23,2026
Prediction: Already patched Mar23
What Undercode Say:
Check current devMode setting php craft project-config/get devMode Verify Sprig Playground access (if still on vulnerable version) curl -X POST -H "X-Craft-Token: <admin_token>" \ "https://example.com/index.php?p=admin/actions/sprig/playground/run" \ -d "method=hashData&data=test" Mitigation: disable Playground via config/sprig.php echo '<?php return ["enablePlaygroundWhenDevModeDisabled" => false];' > config/sprig.php Alternatively, restrict permissions via Craft’s user groups php craft assign-permission "sprig-accessPlayground" --deny
how Exploit:
- Obtain credentials for an admin account or a user with `sprig-accessPlayground` permission.
2. Navigate to `/admin/actions/sprig/playground/run` while authenticated.
- Send POST requests with `method=hashData&data=any` to read internal server responses.
- Use the Playground’s debugging features to dump
$_ENV,$_SERVER, and config constants.
Protection from this CVE
Upgrade to Sprig 3.15.2 or 2.15.2 immediately. If upgrading is not possible, set `enablePlaygroundWhenDevModeDisabled = false` in `config/sprig.php` and ensure `devMode` is off in production. Restrict the `sprig-accessPlayground` permission to zero users unless absolutely necessary.
Impact
Exposure of the security key, database credentials, and other secrets allows attackers to decrypt cookies, forge signed requests, access the database, and potentially execute arbitrary code via the `hashData()` signing function. Full application compromise may follow.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

