CVE-2026-33162
Received Received - Intake
Improper Access Control in Craft CMS Entry Section Movement

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33162
EUVD
EUVD-2026-14944
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
craftcms craft_cms From 5.3.0 (inc) to 5.9.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft CMS to version 5.9.14 or later, where the issue has been patched.

Executive Summary

This vulnerability exists in Craft CMS versions from 5.3.0 up to but not including 5.9.14. It allows an authenticated control panel user who only has access to the control panel (accessCp) to move entries across different sections using the POST /actions/entries/move-to-section endpoint. This action can be performed even if the user does not have the required saveEntries permission for either the source or destination section.

The issue was fixed in version 5.9.14.

Impact Analysis

This vulnerability can impact you by allowing users with limited permissions to move content entries between sections without proper authorization. This could lead to unauthorized content manipulation, potentially disrupting content organization, workflow, or exposing content to unintended sections.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart