Mass Assignment Vulnerability in Craft CMS Affects User Authorship Attribution
CVE-2026-28781
What is CVE-2026-28781?
Craft CMS has a vulnerability that allows users with 'Create Entries' permissions to exploit the entry creation process, leading to unauthorized authorship assignments. An attacker can manipulate the authorId parameter in a POST request, enabling them to attribute new entries to any user, including administrators. This poses a significant security risk as it undermines the integrity of content authorship. The issue has been resolved in versions 4.17.0-beta.1 and 5.9.0-beta.1.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.9.0-beta.1 < 5.0.0-RC1, 5.9.0-beta.1
cms >= 4.0.0-RC1, < 4.17.0-beta.1 < 4.0.0-RC1, 4.17.0-beta.1
References
CVSS V4
Timeline
Vulnerability published
Vulnerability Reserved