CVE-2026-50279
Received Received - Intake

Authorship Spoofing in Craft CMS

Vulnerability report for CVE-2026-50279, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 5.0.0-RC1 (inc) to 5.9.21 (exc)
craftcms craft_cms 5.9.21

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50279 is a vulnerability in Craft CMS versions 5.0.0-RC1 through 5.9.21 that allows authorship spoofing in the entries/save-entry endpoint.

The issue arises because permission checks are performed before author changes are applied, but not after. This means an authenticated attacker who can edit an entry and is among its existing authors can manipulate the authors[] parameter to reassign entry authorship to another user without needing the dedicated peer-author-change permission.

The system checks permissions based on the original entry state rather than the modified one, allowing low-privileged users to falsify content ownership.

Impact Analysis

This vulnerability allows low-privileged users to reassign content authorship to other users without proper authorization.

  • Falsify content ownership
  • Corrupt audit trails
  • Mislead notifications
  • Disrupt approval workflows
  • Reassign content responsibility improperly
Detection Guidance

This vulnerability involves manipulation of the `authors[]` parameter in the `entries/save-entry` endpoint of Craft CMS versions 5.0.0-RC1 through 5.9.21. Detection would involve monitoring requests to this endpoint for unauthorized changes to entry authorship.

Specifically, you can look for HTTP POST requests to the `entries/save-entry` endpoint where the `authors[]` parameter is altered by users who do not have the dedicated peer-author-change permission.

Commands to detect such activity might include using web server logs or network monitoring tools to filter for suspicious POST requests. For example, using grep on access logs:

  • grep 'POST /entries/save-entry' /path/to/access.log | grep 'authors[]='

Additionally, monitoring application logs for changes in entry authorship by low-privileged users or users who are not authorized to perform peer-author changes can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to upgrade Craft CMS to version 5.9.21 or later, where this vulnerability has been fixed.

If immediate upgrade is not possible, restrict access to the `entries/save-entry` endpoint to only trusted users and review permissions to ensure that only authorized users can edit entries.

Additionally, monitor and audit changes to entry authorship to detect any unauthorized modifications.

Compliance Impact

This vulnerability allows low-privileged users to spoof authorship of content entries by reassigning entry authorship without proper authorization.

Such authorship spoofing can corrupt audit trails, mislead notifications, disrupt approval workflows, and misrepresent content responsibility.

These impacts can undermine data integrity and accountability, which are critical aspects of compliance with standards like GDPR and HIPAA that require accurate record-keeping and access control.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50279. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart