CVE-2026-25497
Undergoing Analysis Undergoing Analysis - In Progress

Privilege Escalation in Craft CMS GraphQL Allows Cross-Volume Asset Modification

Vulnerability report for CVE-2026-25497, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-09

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-09
Last Modified
2026-02-19
Generated
2026-07-06
AI Q&A
2026-02-09
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 4.0.0 (exc) to 4.17.0 (exc)
craftcms craft_cms From 5.0.0 (exc) to 5.9.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Craft CMS's GraphQL API in versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1. It is a Privilege Escalation issue where an authenticated user with write access to one asset volume can escalate their privileges to modify or transfer assets belonging to other volumes, including restricted or private ones. The problem arises because the saveAsset GraphQL mutation checks authorization against the volume defined in the schema but then fetches the target asset by ID without verifying if the asset actually belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer.

Impact Analysis

This vulnerability can allow an attacker who has limited write access to one asset volume to gain unauthorized access to other asset volumes, including restricted or private ones. This means they could modify or transfer assets they should not have access to, potentially leading to data tampering, unauthorized data exposure, or disruption of digital content managed by the platform.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Craft CMS to version 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the issue is fixed.

Until the upgrade can be applied, restrict write access to asset volumes only to trusted users to minimize the risk of privilege escalation via the GraphQL API.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25497. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart