CVE-2026-50281
Deferred Deferred - Pending Action

Mass Assignment in Craft CMS

Vulnerability report for CVE-2026-50281, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker's attributes into the victim's existing entry row. ElementsController::beforeAction() pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(), which overwrites the reset id with any numeric value inside $newAttributes. PHP Yii's saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers's title, slug, authorId, postDate, and UID land on the victim's entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-03
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 5.9.0 (inc) to 5.9.21 (exc)
craftcms craft_cms 5.9.21
craftcms craft_cms to 5.9.21 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-915 The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50281 is a mass-assignment vulnerability in Craft CMS versions 5.7.0 to 5.9.20 that affects the bulk-duplicate element action. An attacker who can duplicate their own entries can submit a crafted request containing an arbitrary element ID in the newAttributes parameter. Although the system resets the element ID to null during duplication, the attacker's provided ID is merged into the element's attributes, causing the system to update an existing element instead of creating a new one. This allows the attacker to overwrite another user's entry data such as title, slug, author ID, post date, and UID.

The vulnerability arises because the security checks only validate the top-level request payload and do not filter the id field inside the newAttributes array. The duplication routine uses Craft::configure() which overwrites the reset ID with the attacker's supplied numeric value, leading to an UPDATE operation on the existing element rather than an INSERT.

This flaw affects all element types inheriting from the Entry model, including entries, categories, and users. The attacker only needs permission to duplicate their own entry and can exploit this by predicting or enumerating element IDs. The issue was fixed in version 5.9.21.

Impact Analysis

This vulnerability allows an attacker with low privileges to overwrite existing content entries they do not own by exploiting the bulk duplicate functionality. The attacker can modify critical attributes of another user's entry such as the title, slug, author ID, post date, and unique identifier.

As a result, the integrity and authenticity of content within the CMS can be compromised, potentially leading to misinformation, unauthorized content changes, or disruption of website functionality.

Because the attacker only needs permission to duplicate their own entries, this vulnerability can be exploited without elevated privileges, increasing the risk of unauthorized data manipulation.

Detection Guidance

This vulnerability can be detected by monitoring for unusual or crafted requests to the bulk-duplicate element action in Craft CMS, specifically those containing the newAttributes parameter with an arbitrary id value.

Since the vulnerability involves a low-privileged user submitting a request that includes an id inside the newAttributes array to overwrite existing entries, detection can focus on inspecting HTTP requests to the ElementsController::actionBulkDuplicate endpoint.

Suggested commands include using network traffic inspection tools like tcpdump or Wireshark to capture HTTP POST requests to the CMS endpoint handling bulk duplication, then filtering for requests containing the newAttributes parameter with an id field.

  • Use curl or similar tools to manually test the bulk-duplicate endpoint by sending crafted POST requests with newAttributes containing an id to see if the system improperly updates existing entries.
  • Example command to capture HTTP traffic on port 80 or 443: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'newAttributes'
  • Use application logs to identify duplicate element actions where the newAttributes parameter includes an id, which should normally be rejected.
Mitigation Strategies

The immediate mitigation step is to upgrade Craft CMS to version 5.9.21 or later, where this mass-assignment vulnerability has been fixed.

Until the upgrade can be applied, restrict or disable the ability for low-privileged users to perform bulk-duplicate actions on entries they own.

Additionally, monitor and audit requests to the bulk-duplicate endpoint for suspicious activity involving the newAttributes parameter containing an id.

Review and tighten permissions related to entry duplication to limit the attack surface.

Compliance Impact

The vulnerability allows an attacker with limited permissions to overwrite existing entries in the Craft CMS by exploiting the bulk-duplicate functionality. This unauthorized modification of data could lead to integrity and confidentiality issues within the CMS.

Such unauthorized data modification may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized access or alteration of personal or sensitive information.

However, the provided information does not explicitly describe the direct impact on compliance frameworks or mention any regulatory consequences.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50281. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart