Permission Vulnerability in Craft CMS 5.6.0 to 5.9.14
CVE-2026-41128

5.3MEDIUM

Key Information:

Vendor: Craftcms
Status: Cms
Vendor: CVE Published:; 21 April 2026

What is CVE-2026-41128?

Craft CMS, specifically versions 5.6.0 through 5.9.14, contains a vulnerability within the actionSavePermissions() endpoint enabling users with merely viewUsers permission to delete any user from all user groups. This occurs due to inadequate authorization checks when removing users, as the _saveUserGroups() function fails to validate the user’s permissions for group removals while still enforcing them for additions. As a result, if an empty groups value is submitted, it inadvertently results in the deletion of all existing group memberships for the affected users. The security flaw has been addressed in Craft CMS version 5.9.15.

Affected Version(s)

cms >= 5.6.0, < 5.9.15

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

x_refsource_CONFIRM

https://github.com/craftcms/cms/commit/b135384808ad43fcf8...

x_refsource_MISC

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 21, 2026
Vulnerability Reserved
Apr 17, 2026

CVE-2026-41128 Data

JSON

Craftcms

What is CVE-2026-41128?

Affected Version(s)

References

CVSS V4

Timeline