Skip to main content

EUVDEUVD-2026-14944

| CVE-2026-33162 MEDIUM
Improper Authorization (CWE-285)
2026-03-24 https://github.com/craftcms/cms GHSA-f582-6gf6-gx4g
4.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:30 euvd
EUVD-2026-14944
Analysis Generated
Mar 24, 2026 - 17:30 vuln.today
Patch released
Mar 24, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 17:28 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Summary

An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section.

Details

Root-cause analysis
  1. actionMoveToSection accepts sectionId and entryIds, loads entries, and iterates:

Craft::$app->getEntries()->moveEntryToSection($entry, $section).

  1. The endpoint does not enforce per-entry or per-section authorization checks.
  2. moveEntryToSection() also does not enforce current-user authorization.
  3. There is a permission check in actionMoveToSectionModalData for building UI options, but that check is not enforced in the actual endpoint.
  4. Therefore, a direct POST request can bypass UI filtering and perform unauthorized entry moves.

Impact

  • This is an authorization bypass permitting unauthorized content changes.
  • Authenticated low-privileged control panel users can move entries they should not be able to manage, violating integrity and potentially disrupting routing/editorial controls.

AnalysisAI

An authorization bypass vulnerability exists in Craft CMS that allows authenticated control panel users with minimal accessCp permission to move entries across sections without possessing the required saveEntries:{sectionUid} permissions for either source or destination sections. The vulnerability affects Craft CMS versions prior to 5.9.14 and results from missing authorization enforcement in the POST /actions/entries/move-to-section endpoint, enabling low-privileged users to perform unauthorized content modifications that violate integrity controls and potentially disrupt editorial workflows and content routing. A patch is available from the vendor.

Technical ContextAI

Craft CMS is a flexible, user-friendly headless CMS built on PHP (identified via CPE pkg:composer/craftcms_cms). The vulnerability stems from a CWE-285 (Improper Authorization) flaw in the entry management module. Specifically, the actionMoveToSection controller method accepts sectionId and entryIds parameters, iterates through entries, and invokes Craft::$app->getEntries()->moveEntryToSection($entry, $section) without enforcing per-entry or per-section permission checks. While a permission validation exists in actionMoveToSectionModalData (which builds the UI options users see), this check is not replicated in the actual POST endpoint handler. This allows attackers to craft direct HTTP POST requests that bypass the UI-layer filtering and invoke the underlying moveEntryToSection() method, which also lacks authorization verification, creating a classic authorization bypass where the permission enforcement is present only in UI rendering, not in the business logic.

RemediationAI

Upgrade Craft CMS to version 5.9.14 or later immediately (refer to https://github.com/craftcms/cms/releases/tag/5.9.14 for release notes and installation instructions). The fix, committed at https://github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e, adds proper authorization checks to the actionMoveToSection endpoint to enforce saveEntries:{sectionUid} permission validation before allowing entry moves. For environments unable to patch immediately, implement network-level access controls restricting POST requests to /actions/entries/move-to-section to trusted administrators only, and audit role assignments to ensure minimal-privilege users (accessCp without saveEntries) do not have unexpected control panel access. Additionally, enable audit logging for entry modifications to detect unauthorized moves during the patching window.

Share

EUVD-2026-14944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy