CVE-2026-30452
Broken Access Control in Textpattern CMS Allows Article Modification
Publication date: 2026-04-21
Last updated on: 2026-04-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| textpattern | textpattern | 4.9.0 |
| textpattern | textpattern | to 4.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability is that users with limited permissions can alter or overwrite articles created by users with higher privileges. This can lead to unauthorized content changes, potential misinformation, defacement, or disruption of the website's content integrity. It undermines the trustworthiness and reliability of the content management system and can cause administrative and reputational issues for site owners.
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in Textpattern CMS version 4.9.0. It allows authenticated users with low privileges to modify articles that belong to users with higher privileges. The problem arises because the system does not properly enforce authorization checks when an attacker manipulates the article ID parameter during the duplicate-and-save workflow in the article management system. This lets the attacker bypass restrictions and overwrite content owned by other users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a broken access control issue in the article management system of Textpattern CMS 4.9.0, where authenticated users with low privileges can modify articles owned by higher privilege users by manipulating the article ID parameter during the duplicate-and-save workflow.
To detect this vulnerability on your system, you can monitor or audit requests to the article management endpoints, specifically looking for unusual or unauthorized attempts to duplicate or save articles with manipulated article ID parameters.
Since the vulnerability is triggered by manipulating the article ID parameter in the file textpattern/include/txp_article.php, you can check web server logs or application logs for suspicious POST or GET requests containing unexpected or out-of-scope article IDs.
No specific commands or detection scripts are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended step to mitigate this vulnerability is to upgrade Textpattern CMS from version 4.9.0 to version 4.9.1 or later.
Textpattern 4.9.1, released on 14 February 2026, includes a fix that restores proper access control enforcement in the article management system, addressing this broken access control vulnerability.
Before upgrading, it is advised to back up all site files, databases, and uploaded content.
Following the upgrade instructions included in the release archive (INSTALL.txt and UPGRADE.txt) is important to ensure a smooth and secure update.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Textpattern CMS 4.9.0 allows authenticated users with low privileges to modify articles owned by users with higher privileges by bypassing authorization checks. This broken access control issue could lead to unauthorized modification of content, which may impact data integrity and confidentiality.
Such unauthorized access and modification could potentially affect compliance with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of data integrity and confidentiality. However, the provided information does not explicitly discuss compliance impacts or specific regulatory considerations.