Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H because the attacker must already be an existing author of the target entry; PR:L for the required low-privileged session; impact is integrity-only authorship spoofing, so C:N/I:H/A:N.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.
AnalysisAI
Authorization bypass in Craft CMS versions 5.0.0-RC1 through 5.9.20 lets a low-privileged authenticated user spoof entry authorship by reassigning an entry's author to an arbitrary user without holding the dedicated peer-author-change permission. Because EntriesController::actionSaveEntry() checks edit permissions before applying request-controlled author changes and never re-runs authorization after mutating the author list, any existing author of an entry can hijack attribution. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privileged account (PR:L) that is already one of the current authors of the target entry - the mutation path only accepts the change 'when the current user is one of the old authors', which is the concrete precondition reflected by AT:P. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:L/UI:N, score 7.6) indicates a network-reachable, low-privileged attack with an attack requirement (AT:P) reflecting that the attacker must already be an existing author of the target entry - a meaningful precondition that narrows the exploit population. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A content contributor who is already listed as one of the authors on a shared entry crafts a save request that sets the 'authors' parameter to another user's ID. The controller applies the change without re-checking the peer-author-change permission, silently reassigning attribution and potentially misrepresenting who published or is accountable for the content. … |
| Remediation | Vendor-released patch: upgrade Craft CMS to version 5.9.21 or later, which re-runs authorization after author mutation and enforces the peer-author-change permission. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Craft CMS 5.0.0-RC1 through 5.9.20 installations in production. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-285 – Improper Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41214
GHSA-qq2c-2q8j-jh27