Skip to main content

Craft CMS CVE-2026-41128

MEDIUM
Missing Authorization (CWE-862)
2026-04-22 security-advisories@github.com
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 22, 2026 - 00:58 vuln.today
Analysis Generated
Apr 22, 2026 - 00:22 vuln.today
CVE Published
Apr 22, 2026 - 00:16 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the actionSavePermissions() endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While _saveUserGroups() enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty groups value removes all existing group memberships. Version 5.9.15 contains a patch.

AnalysisAI

Craft CMS versions 5.6.0 through 5.9.14 allow authenticated users with only viewUsers permission to remove arbitrary users from all user groups via the actionSavePermissions() endpoint, bypassing per-group authorization controls that protect group additions. An attacker can submit an empty groups value to strip all group memberships from any user, degrading access control integrity. The vulnerability has been patched in version 5.9.15.

Technical ContextAI

The vulnerability exists in the user group management functionality of Craft CMS, specifically in the _saveUserGroups() method within the actionSavePermissions() endpoint. The underlying issue (CWE-862: Missing Authorization) stems from asymmetric authorization enforcement: while the endpoint properly validates permissions before adding users to groups, it fails to perform equivalent authorization checks before removing users from groups. This authorization gap allows the removal operation to execute with insufficient privilege validation, even though the user lacks administrative permissions. The flaw affects the permission model where viewUsers permission grants read-only access to user data but should not grant modification rights to group membership.

Affected ProductsAI

Craft CMS versions 5.6.0 through 5.9.14 are affected. Version 5.9.15 and later contain the patch. Organizations running any version within the vulnerable range should prioritize patching. The vulnerability is specific to Craft CMS and does not affect other CMS platforms or Craft versions prior to 5.6.0.

RemediationAI

Upgrade Craft CMS to version 5.9.15 or later, which includes the authorization check for group removal operations. If immediate patching is not feasible, restrict the viewUsers permission to administrative or trusted roles only, reducing the pool of users who can access the actionSavePermissions() endpoint. Additionally, implement rate limiting and anomaly detection on group membership modifications to flag suspicious bulk removal operations. Audit existing user group configurations to verify that unexpected membership changes have not already been executed. No workarounds are available to fully disable the vulnerable endpoint without forking the codebase; patching is the definitive remediation.

Share

CVE-2026-41128 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy