EUVD-2026-14944

| CVE-2026-33162 MEDIUM
2026-03-24 https://github.com/craftcms/cms GHSA-f582-6gf6-gx4g
4.9
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:30 euvd
EUVD-2026-14944
Analysis Generated
Mar 24, 2026 - 17:30 vuln.today
Patch Released
Mar 24, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 17:28 nvd
MEDIUM 4.9

Tags

Authentication Bypass

Description

### Summary An authenticated control panel user with only accessCp can move entries across sections via POST `/actions/entries/move-to-section`, even when they do not have `saveEntries:{sectionUid}` permission for either source or destination section. ### Details #### Root-cause analysis 1. actionMoveToSection accepts sectionId and entryIds, loads entries, and iterates: `Craft::$app->getEntries()->moveEntryToSection($entry, $section)`. 2. The endpoint does not enforce per-entry or per-section authorization checks. 3. `moveEntryToSection()` also does not enforce current-user authorization. 4. There is a permission check in `actionMoveToSectionModalData` for building UI options, but that check is not enforced in the actual endpoint. 5. Therefore, a direct POST request can bypass UI filtering and perform unauthorized entry moves. ### Impact * This is an authorization bypass permitting unauthorized content changes. * Authenticated low-privileged control panel users can move entries they should not be able to manage, violating integrity and potentially disrupting routing/editorial controls.

Analysis

An authorization bypass vulnerability exists in Craft CMS that allows authenticated control panel users with minimal accessCp permission to move entries across sections without possessing the required saveEntries:{sectionUid} permissions for either source or destination sections. The vulnerability affects Craft CMS versions prior to 5.9.14 and results from missing authorization enforcement in the POST /actions/entries/move-to-section endpoint, enabling low-privileged users to perform unauthorized content modifications that violate integrity controls and potentially disrupt editorial workflows and content routing. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Vendor patch is available.

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

25
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +24
POC: 0

Share

EUVD-2026-14944 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy