CVE-2026-28782Authorization Bypass Through User-Controlled Key in Craft CMS

CWE-639Authorization Bypass Through User-Controlled Key5 documents5 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 89.50%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Craftcms Craft CMSCraftcms CMS
Timeline
PublishedMar 4

Description

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry ID

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

Packagistcraftcms/cms5.0.0-RC15.9.0-beta.1+1
NVDcraftcms/craft_cms< 4.17.0+3
CVEListV5craftcms/cms>= 4.0.0-RC1, < 4.17.0-beta.1, >= 5.0.0-RC1, < 5.9.0-beta.1+1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
CVEList
Craft has a Permission Bypass and IDOR in Duplicate Entry Action2026-03-04
GHSA
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action2026-03-03
OSV
Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action2026-03-03

🕵️Threat Intelligence

1
Wiz
CVE-2026-28782 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-28782 — Craftcms Craft CMS vulnerability | cvebase