Authorization Bypass Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-14793
5.3MEDIUM
What is CVE-2026-14793?
A vulnerability in Craft CMS versions up to 4.18.0.1 allows unauthorized users to exploit the actionReorderSets function in the GlobalsController.php file. This issue arises from inadequate authorization checks within the reorder-sets Endpoint, enabling attackers to manipulate sets without appropriate permissions. Remediation involves upgrading to Craft CMS version 4.18.1, which includes a critical patch (identified by commit 9bd05c91e6a7e6da5e949ec41a31c220c059aa04) to secure the system against such attacks. Immediate action is recommended to protect your installations.
Affected Version(s)
CMS 4.18.0.0
CMS 4.18.0.1
CMS 4.18.1
