CVE-2026-25497
Undergoing Analysis Undergoing Analysis - In Progress
Privilege Escalation in Craft CMS GraphQL Allows Cross-Volume Asset Modification

Publication date: 2026-02-09

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25497
EUVD
EUVD-2026-6846
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 4.0.0 (exc) to 4.17.0 (exc)
craftcms craft_cms From 5.0.0 (exc) to 5.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Craft CMS's GraphQL API in versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1. It is a Privilege Escalation issue where an authenticated user with write access to one asset volume can escalate their privileges to modify or transfer assets belonging to other volumes, including restricted or private ones. The problem arises because the saveAsset GraphQL mutation checks authorization against the volume defined in the schema but then fetches the target asset by ID without verifying if the asset actually belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer.

Impact Analysis

This vulnerability can allow an attacker who has limited write access to one asset volume to gain unauthorized access to other asset volumes, including restricted or private ones. This means they could modify or transfer assets they should not have access to, potentially leading to data tampering, unauthorized data exposure, or disruption of digital content managed by the platform.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Craft CMS to version 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the issue is fixed.

Until the upgrade can be applied, restrict write access to asset volumes only to trusted users to minimize the risk of privilege escalation via the GraphQL API.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart