Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-28782 is a moderate severity vulnerability in the Craft CMS affecting versions before 5.9.0-beta.1 and 4.17.0-beta.1. The issue is with the "Duplicate" entry action, which does not properly verify if a user has permission to duplicate specific target elements.'}, {'type': 'paragraph', 'content': 'Users with only "View Entries" permission, who normally cannot duplicate entries, can bypass this restriction by sending a crafted direct request. This allows them to duplicate other users\' entries by specifying their Entry IDs.'}, {'type': 'paragraph', 'content': 'Since Entry IDs are incremental, an attacker can brute-force these IDs to find and duplicate restricted content across the system. The duplicated entries are created with the attacker as the owner, granting full access to the duplicated content.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified as an authorization bypass through user-controlled key (CWE-639) and was fixed in versions 5.9.0-beta.1 and 4.17.0-beta.1.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with minimal permissions (only "View Entries") to escalate their privileges by duplicating entries they should not have access to.'}, {'type': 'paragraph', 'content': 'By brute-forcing Entry IDs, an attacker can access and duplicate restricted content belonging to other users, effectively bypassing access controls.'}, {'type': 'paragraph', 'content': 'The attacker becomes the owner of the duplicated entries, gaining full control over sensitive or confidential content, which can lead to unauthorized data exposure, data leakage, or misuse of information.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action` that specify the "Duplicate" action along with Entry IDs. Since the vulnerability involves bypassing UI restrictions by sending crafted direct requests, inspecting logs for such suspicious requests from users with only "View Entries" permission can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'A suggested approach is to search web server or application logs for POST requests containing the "Duplicate" action and Entry IDs, especially from users who should not have duplication permissions.'}, {'type': 'paragraph', 'content': 'Example command to search logs (assuming Apache logs and JSON payloads in logs):'}, {'type': 'list_item', 'content': "grep -i 'perform-action' /var/log/apache2/access.log | grep 'Duplicate'"}, {'type': 'list_item', 'content': "grep -i 'Duplicate' /path/to/craftcms/logs/web.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual duplication of entries or unexpected new entries owned by users with limited permissions may indicate exploitation.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Craft CMS to a fixed version where this vulnerability is patched. Specifically, update to version 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later.'}, {'type': 'paragraph', 'content': 'The patch enforces proper permission checks on the "Duplicate" action and other element actions, preventing unauthorized users from duplicating entries they do not have permission to access.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting access to the affected endpoint and reviewing user permissions to ensure that users with only "View Entries" permission cannot send direct requests to perform duplication.'}, {'type': 'paragraph', 'content': 'Also, monitor logs for suspicious activity as described to detect potential exploitation attempts.'}] [1, 2]

Useful 0 Not Useful 0