Skip to main content

Craft CMS EUVDEUVD-2026-41215

| CVE-2026-50280 MEDIUM
Improper Access Control (CWE-284)
2026-07-02 security-advisories@github.com GHSA-43cq-c2gq-pfpw
6.0
CVSS 4.0 · Vendor: github
Share

Severity by source

Vendor (github) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.1 LOW

AC:H reflects the specific permission prerequisite (move rights on source, read-only on destination); integrity impact is low as writes are confined to section metadata; no confidentiality breach beyond already-readable content.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (github).

CVSS VectorVendor: github

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 02, 2026 - 20:17 EUVD
Analysis Generated
Jul 02, 2026 - 00:28 vuln.today

DescriptionCVE.org

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.

AnalysisAI

Improper access control in Craft CMS 5.x allows a low-privileged, authenticated control-panel user to inject content into sections where they hold only read access, bypassing the editorial authorization model. The EntriesController::actionMoveToSection() endpoint validates the destination section using viewEntries permission rather than the required saveEntries permission, enabling an attacker to rewrite an entry's sectionId and persist it into protected sections. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privileged control-panel user
Delivery
Identify protected destination section with view-only access
Exploit
Craft POST request to actionMoveToSection() with target sectionId
Execution
Bypass saveEntries check via viewEntries permission gap
Impact
Entry persisted into protected section without write authorization

Vulnerability AssessmentAI

Exploitation Exploitation requires three concurrent conditions: (1) the attacker must be an authenticated Craft CMS control-panel user - unauthenticated exploitation is not possible; (2) the attacker must have permission to move entries out of at least one source section, meaning Entry::canMove() returns true for their account on the source entry; (3) the attacker must have viewEntries permission on the target destination section but lack saveEntries permission on that same section - this is the specific misconfigured-permission state the bug exploits. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 score of 6.0 (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L) reflects a moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Craft CMS control-panel editor with permission to move entries out of a 'drafts' or 'general content' section identifies a protected 'approved-publications' section where they hold only read access. The attacker calls the actionMoveToSection() endpoint with the target sectionId of the protected section. …
Remediation Upgrade to Craft CMS 5.9.21, which contains the patch committed at https://github.com/craftcms/cms/commit/0a6b916f6367b0162b2eaf2366add67b45fa98ea. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41215 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy