CVE-2026-50280
Received Received - Intake

Cross-Site Request Forgery in Craft CMS

Vulnerability report for CVE-2026-50280, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
craftcms craft_cms to 5.9.21 (exc)
craftcms craft_cms 5.9.21
craftcms craft_cms 5.9.20

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50280 is an authorization bypass vulnerability in Craft CMS affecting versions 5.0.0-RC1 up to 5.9.21. The issue arises because the system only checks if a user has view permissions for the destination section when moving an entry, rather than requiring save permissions. This allows a low-privileged authenticated user to move content into sections where they do not have write access.

Specifically, the EntriesController::actionMoveToSection() endpoint gates the destination section by viewEntries permission instead of saveEntries permission. The source entry is separately checked for move permission, but the destination section lacks proper write permission checks. This flaw lets users inject or relocate content into protected sections, breaking editorial boundaries and workflows.

Impact Analysis

This vulnerability can impact you by allowing a low-privileged authenticated user to bypass section-level authorization controls in Craft CMS. They can move or inject content into sections where they only have read access but no write access.

As a result, this can disrupt editorial boundaries, approval workflows, and section-specific business logic. Unauthorized content changes may occur in protected sections, potentially leading to content integrity issues and unauthorized modifications.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious authenticated requests to the `entries/move-to-section` endpoint in Craft CMS. Specifically, look for requests where a user with limited permissions attempts to move entries into sections where they do not have save (write) permissions.

You can analyze web server logs or use network monitoring tools to identify such requests. For example, using command-line tools like grep to search for POST requests to the vulnerable endpoint in your access logs:

  • grep 'POST /entries/move-to-section' /path/to/access.log

Additionally, you can audit user permissions within the Craft CMS control panel to identify users who have view but not save permissions on sections, then verify if those users have performed move actions.

Mitigation Strategies

The immediate mitigation step is to upgrade Craft CMS to version 5.9.21 or later, where the vulnerability has been fixed by requiring saveEntries permission instead of just viewEntries permission for moving entries between sections.

If upgrading immediately is not possible, restrict access to the `entries/move-to-section` endpoint to only trusted users with appropriate permissions, and audit user roles to ensure no low-privileged users have the ability to move entries.

Review and tighten section-level permissions in the CMS to prevent unauthorized content injection or relocation.

Compliance Impact

The vulnerability allows a low-privileged authenticated user to bypass section-level authorization controls and inject content into protected sections. This breaks editorial boundaries, approval workflows, and section-specific business logic.

Such unauthorized content manipulation and interference with editorial workflows could potentially lead to non-compliance with standards and regulations that require strict access controls and data integrity, such as GDPR and HIPAA.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50280. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart