Skip to main content

Craft Cms CVE-2026-28781

MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-04 security-advisories@github.com GHSA-2xfc-g69j-x2mp
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
Mar 12, 2026 - 22:05 vuln.today
PoC Detected
Mar 05, 2026 - 19:55 vuln.today
Public exploit code
Patch released
Mar 05, 2026 - 19:55 nvd
Patch available
CVE Published
Mar 04, 2026 - 17:16 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

AnalysisAI

Craft CMS prior to versions 4.17.0-beta.1 and 5.9.0-beta.1 allows users with entry creation permissions to arbitrarily assign authorship of new entries to any user, including administrators, through mass assignment of the authorId parameter. Public exploit code exists for this vulnerability, enabling attackers to spoof entry authorship and manipulate content attribution. The vulnerability is fixed in the specified beta releases.

Technical ContextAI

Classified as CWE-639 (Authorization Bypass Through User-Controlled Key). Affects Craft Cms. Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually

RemediationAI

A vendor patch is available — apply it immediately. Fixed in version 4.17.0. Restrict network access to the affected service where possible.

CVE-2025-32432 CRITICAL POC
10.0 Apr 25

Craft CMS versions 3.x through 5.x contain a critical remote code execution vulnerability (CVSS 10.0) that allows unauth

CVE-2025-35939 MEDIUM
6.9 May 07

Craft CMS stores arbitrary content provided by unauthenticated users in session files. Rated medium severity (CVSS 6.9),

CVE-2023-41892 CRITICAL POC
9.8 Sep 13

Craft CMS is a platform for creating digital experiences. Rated critical severity (CVSS 9.8), this vulnerability is remo

CVE-2024-56145 CRITICAL POC
9.3 Dec 18

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Rated critical sev

CVE-2024-37843 CRITICAL POC
9.8 Jun 25

Craft CMS up to v3.7.31 was discovered to contain a SQL injection vulnerability via the GraphQL API endpoint. Rated crit

CVE-2020-9757 CRITICAL POC
9.8 Mar 04

The SEOmatic component before 3.3.0 for Craft CMS allows Server-Side Template Injection that leads to RCE via malformed

CVE-2026-28697 CRITICAL POC
9.1 Mar 04

RCE in Craft CMS before 4.17.0-beta.1/5.9.0-beta.1 via template injection for authenticated admins. PoC and patch availa

CVE-2025-68456 CRITICAL POC
9.1 Jan 05

Craft CMS (5.0.0-RC1 through 5.8.20, 3.x through 4.16.16) allows unauthenticated users to trigger database backup operat

CVE-2025-68454 HIGH POC
8.8 Jan 05

Craft is a platform for creating digital experiences. Versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16 ar

CVE-2026-25495 HIGH POC
8.8 Feb 09

SQL injection in Craft CMS 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allows authenticated Control Panel use

CVE-2023-30130 HIGH POC
8.8 May 12

An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Sectio

CVE-2022-29933 HIGH POC
8.8 May 09

Craft CMS through 3.7.36 allows a remote unauthenticated attacker, who knows at least one valid username, to reset the a

Share

CVE-2026-28781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy