CVE-2020-26167 – CVE-2020-26167 is a critical authentication byp... (How to Fix)

Q: What is the severity of CVE-2020-26167?

CVE-2020-26167 has a CVSS score of 9.8 (CRITICAL). CVE-2020-26167 is a critical authentication bypass vulnerability in FUEL CMS that allows anonymous users to take complete ownership of any account, including administrator accounts, through the page preview feature. This affects all FUEL CMS installations version 11.4.12 and earlier. Attackers can gain full administrative control without any authentication.

📋 TL;DR

CVE-2020-26167 is a critical authentication bypass vulnerability in FUEL CMS that allows anonymous users to take complete ownership of any account, including administrator accounts, through the page preview feature. This affects all FUEL CMS installations version 11.4.12 and earlier. Attackers can gain full administrative control without any authentication.

💻 Affected Systems

Products:

FUEL CMS

Versions: 11.4.12 and earlier

Operating Systems: All operating systems running FUEL CMS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the page preview feature enabled are vulnerable. This is a core feature of FUEL CMS.

📦 What is this software?

Fuel Cms by Thedaylightstudio

View all CVEs affecting Fuel Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the CMS installation, allowing attackers to create new admin accounts, modify content, install backdoors, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Attackers gain administrative access to the CMS, deface websites, steal sensitive information, and maintain persistent access through backdoors.

🟢

If Mitigated

If proper network segmentation and monitoring are in place, impact may be limited to the CMS system itself, though data breach and system compromise still occur.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable without authentication and affects internet-facing CMS installations directly.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require internal network access for exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is straightforward and requires no authentication. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 11.4.13 and later

Vendor Advisory: https://www.getfuelcms.com/

Restart Required: No

Instructions:

1. Backup your FUEL CMS installation and database. 2. Download FUEL CMS version 11.4.13 or later from the official repository. 3. Replace all files with the updated version. 4. Verify the update by checking the version in the admin panel.

🔧 Temporary Workarounds

Disable Page Preview Feature

all

Temporarily disable the vulnerable page preview feature to prevent exploitation.

Edit fuel/application/config/fuel.php and set 'preview' => FALSE

Restrict Access to Preview URLs

all

Use web server configuration to block access to preview-related endpoints.

For Apache: add 'RewriteRule ^(.*)/preview/(.*)$ - [F,L]' to .htaccess
For Nginx: add 'location ~* /preview/ { return 403; }' to site config

🧯 If You Can't Patch

Implement strict network access controls to limit access to the FUEL CMS admin interface
Enable detailed logging and monitoring for any access to preview functionality or unauthorized admin actions

🔍 How to Verify

Check if Vulnerable:

Check if your FUEL CMS version is 11.4.12 or earlier by viewing the version in the admin panel or checking the fuel/application/config/constants.php file.

Check Version:

grep 'FUEL_VERSION' fuel/application/config/constants.php

Verify Fix Applied:

Verify the version is 11.4.13 or later in the admin panel and test that the page preview feature no longer allows account takeover.

📡 Detection & Monitoring

Log Indicators:

Unusual access to /preview/ endpoints
Unauthorized admin account creation or modification
Multiple failed login attempts followed by successful admin access

Network Indicators:

HTTP requests to preview endpoints from unexpected IP addresses
Sudden increase in admin panel traffic

SIEM Query:

source="web_logs" AND (uri="/preview/*" OR user_agent="*FUEL-CMS*" AND status=200 AND method="POST")

📊 Metadata

CVE ID: CVE-2020-26167

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: November 4, 2020

Last Updated: May 30, 2025

🔗 References

https://cds.thalesgroup.com/en/tcs-cert/CVE-2020-26167
https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/ Third Party Advisory
https://github.com/daylightstudio/FUEL-CMS/ Third Party Advisory
https://thedaylightstudio.com/ Vendor Advisory
https://www.getfuelcms.com/ Product,Vendor Advisory
https://excellium-services.com/cert-xlm-advisory/cve-2020-26167/ Third Party Advisory
https://github.com/daylightstudio/FUEL-CMS/ Third Party Advisory
https://thedaylightstudio.com/ Vendor Advisory
https://www.getfuelcms.com/ Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON