Craft CMS CVE-2026-41128
MEDIUMSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionGitHub Advisory
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the actionSavePermissions() endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While _saveUserGroups() enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty groups value removes all existing group memberships. Version 5.9.15 contains a patch.
AnalysisAI
Craft CMS versions 5.6.0 through 5.9.14 allow authenticated users with only viewUsers permission to remove arbitrary users from all user groups via the actionSavePermissions() endpoint, bypassing per-group authorization controls that protect group additions. An attacker can submit an empty groups value to strip all group memberships from any user, degrading access control integrity. The vulnerability has been patched in version 5.9.15.
Technical ContextAI
The vulnerability exists in the user group management functionality of Craft CMS, specifically in the _saveUserGroups() method within the actionSavePermissions() endpoint. The underlying issue (CWE-862: Missing Authorization) stems from asymmetric authorization enforcement: while the endpoint properly validates permissions before adding users to groups, it fails to perform equivalent authorization checks before removing users from groups. This authorization gap allows the removal operation to execute with insufficient privilege validation, even though the user lacks administrative permissions. The flaw affects the permission model where viewUsers permission grants read-only access to user data but should not grant modification rights to group membership.
Affected ProductsAI
Craft CMS versions 5.6.0 through 5.9.14 are affected. Version 5.9.15 and later contain the patch. Organizations running any version within the vulnerable range should prioritize patching. The vulnerability is specific to Craft CMS and does not affect other CMS platforms or Craft versions prior to 5.6.0.
RemediationAI
Upgrade Craft CMS to version 5.9.15 or later, which includes the authorization check for group removal operations. If immediate patching is not feasible, restrict the viewUsers permission to administrative or trusted roles only, reducing the pool of users who can access the actionSavePermissions() endpoint. Additionally, implement rate limiting and anomaly detection on group membership modifications to flag suspicious bulk removal operations. Audit existing user group configurations to verify that unexpected membership changes have not already been executed. No workarounds are available to fully disable the vulnerable endpoint without forking the codebase; patching is the definitive remediation.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today