CVE-2026-28781Authorization Bypass Through User-Controlled Key in Craft CMS

CWE-639Authorization Bypass Through User-Controlled KeyCWE-915Improperly Controlled Modification of Dynamically-Determined Object Attributes5 documents5 sources
Severity
7.1HIGHNVD
EPSS
0.0%
top 86.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMar 4

Description

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.9.0-beta.1+1
NVDcraftcms/craft_cms< 4.17.0+3
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.0-beta.1, >= 5.0.0-RC1, < 5.9.0-beta.1+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Craft Affected by Entries Authorship Spoofing via Mass Assignment2026-03-04
OSV
Craft CMS: Entries Authorship Spoofing via Mass Assignment2026-03-03
GHSA
Craft CMS: Entries Authorship Spoofing via Mass Assignment2026-03-03

🕵️Threat Intelligence

1
Wiz
CVE-2026-28781 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-28781 — Craftcms Craft CMS vulnerability | cvebase