CVE-2026-28781
Mass Assignment in Craft CMS Allows Author Spoofing
Publication date: 2026-03-04
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 4.0.0 (exc) to 4.17.0 (exc) |
| craftcms | craft_cms | From 5.0.0 (exc) to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability affects the Craft CMS content management system prior to versions 4.17.0-beta.1 and 5.9.0-beta.1. It allows a user with the "Create Entries" permission to manipulate the entry creation process by injecting the authorId or authorIds[] parameter into the POST request. The backend processes this parameter without verifying if the user is authorized to assign authorship to others. As a result, an attacker can spoof the authorship of new entries by attributing them to any user, including administrators, even if they do not have permission to do so.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper authorization checks and insufficient control over which object attributes can be modified via user input, specifically allowing mass assignment of the authorId attribute. This flaw enables unauthorized modification of entry authorship during creation.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can have significant impacts because it allows an attacker with limited permissions to create entries that appear to be authored by other users, including administrators. This authorship spoofing can be used to bypass review processes or gain trust by posting content under the guise of trusted or high-privilege users.
Such unauthorized content could be malicious or inappropriate, potentially damaging the reputation of the site or misleading users. It also represents a permission escalation risk, as attackers can effectively impersonate higher-privileged users within the CMS.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring POST requests to the Craft CMS entry creation endpoint for the presence of the authorId or authorIds[] parameter, which should not normally be present for users without the necessary permissions.'}, {'type': 'paragraph', 'content': 'One way to detect exploitation attempts is to intercept and inspect HTTP POST requests during entry creation, looking for injected authorId parameters that assign authorship to users other than the requestor.'}, {'type': 'paragraph', 'content': 'Commands or tools that can be used include proxy tools like Burp Suite or command-line tools such as curl combined with grep to analyze logs or intercepted requests.'}, {'type': 'list_item', 'content': 'Use a proxy tool (e.g., Burp Suite) to intercept POST requests to the CMS entry creation endpoint and check for authorId or authorIds[] parameters.'}, {'type': 'list_item', 'content': "Search web server or application logs for POST requests containing 'authorId' or 'authorIds[]' parameters using commands like: grep -i 'authorId' /path/to/access.log"}, {'type': 'list_item', 'content': 'Use curl to simulate entry creation requests and verify if authorId parameters are accepted without proper authorization.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Craft CMS to a patched version where this vulnerability is fixed, specifically version 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, restrict users with 'Create Entries' permission from accessing the entry creation functionality or closely monitor and audit entry creation activities."}, {'type': 'paragraph', 'content': 'Additionally, review and tighten permission settings to ensure that only trusted users have the ability to create entries.'}, {'type': 'list_item', 'content': 'Upgrade Craft CMS to version 4.17.0-beta.1, 5.9.0-beta.1, or later.'}, {'type': 'list_item', 'content': "Restrict or monitor users with 'Create Entries' permission until the patch is applied."}, {'type': 'list_item', 'content': 'Audit entry creation logs for suspicious authorId parameter usage.'}] [2, 3]