Skip to main content

Craft CMS EUVDEUVD-2026-41214

| CVE-2026-50279 HIGH
Improper Authorization (CWE-285)
2026-07-02 security-advisories@github.com GHSA-qq2c-2q8j-jh27
7.6
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
7.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

AC:H because the attacker must already be an existing author of the target entry; PR:L for the required low-privileged session; impact is integrity-only authorship spoofing, so C:N/I:H/A:N.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 20:17 EUVD
Analysis Generated
Jul 02, 2026 - 00:28 vuln.today

DescriptionCVE.org

Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.

AnalysisAI

Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as existing co-author
Delivery
Submit crafted saveEntry request with author parameter
Exploit
Edit-permission check passes pre-mutation
Execution
Author list mutated without re-authorization
Impact
Entry authorship reassigned to victim user

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated low-privileged account (PR:L) that is already one of the current authors of the target entry - the mutation path only accepts the change 'when the current user is one of the old authors', which is the concrete precondition reflected by AT:P. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N, score 7.6) indicates a network-reachable, low-privileged attack with an attack requirement (AT:P) reflecting that the attacker must already be an existing author of the target entry - a meaningful precondition that narrows the exploit population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A content contributor who is already listed as one of the authors on a shared entry crafts a save request that sets the 'authors' parameter to another user's ID. The controller applies the change without re-checking the peer-author-change permission, silently reassigning attribution and potentially misrepresenting who published or is accountable for the content. …
Remediation Vendor-released patch: upgrade Craft CMS to version 5.9.21 or later, which re-runs authorization after author mutation and enforces the peer-author-change permission. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Craft CMS 5.0.0-RC1 through 5.9.20 installations in production. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41214 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy