Authorization Bypass Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-14793

5.3MEDIUM

Key Information:

Vendor

Craft

Status
Vendor
CVE Published:
6 July 2026

What is CVE-2026-14793?

A vulnerability in Craft CMS versions up to 4.18.0.1 allows unauthorized users to exploit the actionReorderSets function in the GlobalsController.php file. This issue arises from inadequate authorization checks within the reorder-sets Endpoint, enabling attackers to manipulate sets without appropriate permissions. Remediation involves upgrading to Craft CMS version 4.18.1, which includes a critical patch (identified by commit 9bd05c91e6a7e6da5e949ec41a31c220c059aa04) to secure the system against such attacks. Immediate action is recommended to protect your installations.

Affected Version(s)

CMS 4.18.0.0

CMS 4.18.0.1

CMS 4.18.1

References

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

geochen (VulDB User)
.