CVE-2026-14793
Received Received - Intake

Authorization Bypass in Craft CMS

Vulnerability report for CVE-2026-14793, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: VulDB

Description

A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to version 4.18.1 is able to address this issue. The patch is identified as 9bd05c91e6a7e6da5e949ec41a31c220c059aa04. The affected component should be upgraded.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms to 4.18.0.1 (inc)
craftcms craft_cms 4.18.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an authorization bypass in Craft CMS versions up to 4.18.0.1. It affects the function actionReorderSets in the GlobalsController.php file, specifically in the reorder-sets endpoint. Due to this flaw, unauthorized users can remotely execute actions that should require admin privileges, such as reordering global sets.

The issue was fixed by adding an admin check in the actionReorderSets() method to ensure only users with admin rights can perform the reorder operation.

Impact Analysis

This vulnerability allows unauthorized users to bypass authorization controls and reorder global sets remotely. This could lead to unauthorized changes in the configuration or content structure managed by Craft CMS, potentially disrupting website functionality or content presentation.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft CMS to version 4.18.1 or later.

This update includes a patch that adds an admin check in the GlobalsController.php file, ensuring that the actionReorderSets() method requires admin privileges before processing requests, thus preventing unauthorized users from exploiting the authorization bypass.

Compliance Impact

The vulnerability in Craft CMS allows an authorization bypass, enabling unauthorized users to reorder global sets remotely. Such unauthorized access could potentially lead to improper handling or manipulation of data.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, authorization bypass vulnerabilities generally pose risks to data integrity and access control, which are critical components of these regulations.

Failure to properly restrict access could result in non-compliance with data protection requirements that mandate strict access controls and auditability, potentially leading to regulatory penalties.

Upgrading to version 4.18.1, which includes the patch fixing this issue by enforcing admin checks, helps mitigate these risks and supports compliance efforts.

Detection Guidance

There is no specific detection method or command provided in the available resources or CVE description for identifying exploitation attempts of this vulnerability on your network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart