Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section.
Details
Root-cause analysis
- actionMoveToSection accepts sectionId and entryIds, loads entries, and iterates:
Craft::$app->getEntries()->moveEntryToSection($entry, $section).
- The endpoint does not enforce per-entry or per-section authorization checks.
moveEntryToSection()also does not enforce current-user authorization.- There is a permission check in
actionMoveToSectionModalDatafor building UI options, but that check is not enforced in the actual endpoint. - Therefore, a direct POST request can bypass UI filtering and perform unauthorized entry moves.
Impact
- This is an authorization bypass permitting unauthorized content changes.
- Authenticated low-privileged control panel users can move entries they should not be able to manage, violating integrity and potentially disrupting routing/editorial controls.
AnalysisAI
An authorization bypass vulnerability exists in Craft CMS that allows authenticated control panel users with minimal accessCp permission to move entries across sections without possessing the required saveEntries:{sectionUid} permissions for either source or destination sections. The vulnerability affects Craft CMS versions prior to 5.9.14 and results from missing authorization enforcement in the POST /actions/entries/move-to-section endpoint, enabling low-privileged users to perform unauthorized content modifications that violate integrity controls and potentially disrupt editorial workflows and content routing. A patch is available from the vendor.
Technical ContextAI
Craft CMS is a flexible, user-friendly headless CMS built on PHP (identified via CPE pkg:composer/craftcms_cms). The vulnerability stems from a CWE-285 (Improper Authorization) flaw in the entry management module. Specifically, the actionMoveToSection controller method accepts sectionId and entryIds parameters, iterates through entries, and invokes Craft::$app->getEntries()->moveEntryToSection($entry, $section) without enforcing per-entry or per-section permission checks. While a permission validation exists in actionMoveToSectionModalData (which builds the UI options users see), this check is not replicated in the actual POST endpoint handler. This allows attackers to craft direct HTTP POST requests that bypass the UI-layer filtering and invoke the underlying moveEntryToSection() method, which also lacks authorization verification, creating a classic authorization bypass where the permission enforcement is present only in UI rendering, not in the business logic.
RemediationAI
Upgrade Craft CMS to version 5.9.14 or later immediately (refer to https://github.com/craftcms/cms/releases/tag/5.9.14 for release notes and installation instructions). The fix, committed at https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e, adds proper authorization checks to the actionMoveToSection endpoint to enforce saveEntries:{sectionUid} permission validation before allowing entry moves. For environments unable to patch immediately, implement network-level access controls restricting POST requests to /actions/entries/move-to-section to trusted administrators only, and audit role assignments to ensure minimal-privilege users (accessCp without saveEntries) do not have unexpected control panel access. Additionally, enable audit logging for entry modifications to detect unauthorized moves during the patching window.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14944
GHSA-f582-6gf6-gx4g