CVE-2026-25497Authorization Bypass Through User-Controlled Key in Craft CMS

CWE-639Authorization Bypass Through User-Controlled KeyCWE-269Improper Privilege Management5 documents5 sources
Severity
8.6HIGHNVD
EPSS
0.0%
top 95.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedFeb 9

Description

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization agains

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.9.0-beta.1+1
NVDcraftcms/craft_cms< 4.17.0+3
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.0-beta.1, >= 5.0.0-RC1, < 5.8.22+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Craft has a GraphQL Asset Mutation Privilege Escalation2026-02-09
OSV
Craft CMS: GraphQL Asset Mutation Privilege Escalation2026-02-09
GHSA
Craft CMS: GraphQL Asset Mutation Privilege Escalation2026-02-09

🕵️Threat Intelligence

1
Wiz
CVE-2026-25497 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-25497 — Craftcms Craft CMS vulnerability | cvebase