CVE-2026-28782
Authorization Bypass in Craft CMS Duplicate Entry Action
Publication date: 2026-03-04
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 4.0.0 (exc) to 4.17.0 (exc) |
| craftcms | craft_cms | From 5.0.0 (exc) to 5.9.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-28782 is a moderate severity vulnerability in the Craft CMS affecting versions before 5.9.0-beta.1 and 4.17.0-beta.1. The issue is with the "Duplicate" entry action, which does not properly verify if a user has permission to duplicate specific target elements.'}, {'type': 'paragraph', 'content': 'Users with only "View Entries" permission, who normally cannot duplicate entries, can bypass this restriction by sending a crafted direct request. This allows them to duplicate other users\' entries by specifying their Entry IDs.'}, {'type': 'paragraph', 'content': 'Since Entry IDs are incremental, an attacker can brute-force these IDs to find and duplicate restricted content across the system. The duplicated entries are created with the attacker as the owner, granting full access to the duplicated content.'}, {'type': 'paragraph', 'content': 'This vulnerability is classified as an authorization bypass through user-controlled key (CWE-639) and was fixed in versions 5.9.0-beta.1 and 4.17.0-beta.1.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker with minimal permissions (only "View Entries") to escalate their privileges by duplicating entries they should not have access to.'}, {'type': 'paragraph', 'content': 'By brute-forcing Entry IDs, an attacker can access and duplicate restricted content belonging to other users, effectively bypassing access controls.'}, {'type': 'paragraph', 'content': 'The attacker becomes the owner of the duplicated entries, gaining full control over sensitive or confidential content, which can lead to unauthorized data exposure, data leakage, or misuse of information.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized POST requests to the endpoint `/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action` that specify the "Duplicate" action along with Entry IDs. Since the vulnerability involves bypassing UI restrictions by sending crafted direct requests, inspecting logs for such suspicious requests from users with only "View Entries" permission can help identify exploitation attempts.'}, {'type': 'paragraph', 'content': 'A suggested approach is to search web server or application logs for POST requests containing the "Duplicate" action and Entry IDs, especially from users who should not have duplication permissions.'}, {'type': 'paragraph', 'content': 'Example command to search logs (assuming Apache logs and JSON payloads in logs):'}, {'type': 'list_item', 'content': "grep -i 'perform-action' /var/log/apache2/access.log | grep 'Duplicate'"}, {'type': 'list_item', 'content': "grep -i 'Duplicate' /path/to/craftcms/logs/web.log"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual duplication of entries or unexpected new entries owned by users with limited permissions may indicate exploitation.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The immediate mitigation step is to upgrade Craft CMS to a fixed version where this vulnerability is patched. Specifically, update to version 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later.'}, {'type': 'paragraph', 'content': 'The patch enforces proper permission checks on the "Duplicate" action and other element actions, preventing unauthorized users from duplicating entries they do not have permission to access.'}, {'type': 'paragraph', 'content': 'If upgrading immediately is not possible, consider restricting access to the affected endpoint and reviewing user permissions to ensure that users with only "View Entries" permission cannot send direct requests to perform duplication.'}, {'type': 'paragraph', 'content': 'Also, monitor logs for suspicious activity as described to detect potential exploitation attempts.'}] [1, 2]