Authorization Bypass in Craft CMS Affects Entry Permissions
CVE-2026-50279

7.6HIGH

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-50279?

In Craft CMS, a flaw exists in the EntriesController::actionSaveEntry() method where permission checks are improperly implemented, allowing low-privileged users to change the authorship of an entry. This can lead to unauthorized author assignments since the existing authorization is not re-evaluated after modifications to the author list. This vulnerability can be exploited if an attacker sends crafted requests that alter author parameters of entries, thus bypassing the necessary permission checks. The issue has been resolved in version 5.9.21.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.21

References

CVSS V4

Score:
7.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.