Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AC:H reflects the specific permission prerequisite (move rights on source, read-only on destination); integrity impact is low as writes are confined to section metadata; no confidentiality breach beyond already-readable content.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.
AnalysisAI
Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three concurrent conditions: (1) the attacker must be an authenticated Craft CMS control-panel user - unauthenticated exploitation is not possible; (2) the attacker must have permission to move entries out of at least one source section, meaning Entry::canMove() returns true for their account on the source entry; (3) the attacker must have viewEntries permission on the target destination section but lack saveEntries permission on that same section - this is the specific misconfigured-permission state the bug exploits. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 4.0 score of 6.0 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L) reflects a moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Craft CMS control-panel editor with permission to move entries out of a 'drafts' or 'general content' section identifies a protected 'approved-publications' section where they hold only read access. The attacker calls the actionMoveToSection() endpoint with the target sectionId of the protected section. … |
| Remediation | Upgrade to Craft CMS 5.9.21, which contains the patch committed at https://github.com/craftcms/cms/commit/0a6b916f6367b0162b2eaf2366add67b45fa98ea. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41215
GHSA-43cq-c2gq-pfpw