Skip to main content

Craft Cms CVE-2026-25497

HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-02-09 security-advisories@github.com GHSA-fxp3-g6gw-4r4v
Privilege Escalation Craft Cms
8.8
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Feb 19, 2026 - 19:16 nvd
Patch available
CVE Published
Feb 09, 2026 - 20:15 nvd
HIGH 8.8

DescriptionNVD

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

AnalysisAI

Craft CMS versions 4.0.0-RC1 to 4.17.0 and 5.0 to 5.9.0 contain a privilege escalation vulnerability in the GraphQL API that allows authenticated users with write access to one asset volume to modify or transfer assets across any other volume, including restricted ones they should not access. The vulnerability stems from insufficient authorization validation in the saveAsset mutation, which verifies permissions against the intended volume but fails to confirm the target asset actually belongs to that volume. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as user with write access
Delivery
Query target asset ID from restricted volume
Exploit
Call saveAsset GraphQL mutation with crafted parameters
Execution
Bypass authorization check
Impact
Modify or transfer restricted asset
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Authenticated user account with write access to at least one asset volume in Craft CMS 4.0.0-RC1 through 4.16.x or 5.0.0 through 5.9.0-beta.0. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.8 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker without authentication could exploit this vulnerability to compromise the affected system.
Remediation A vendor patch is available — apply it immediately. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Craft CMS instances in your environment and verify their version numbers against the affected range (4.0.0-RC1 to <4.17.0-beta.1 and 5.9.0-beta.1). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-25497 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy