Authorization Bypass in Craft CMS Affects Entry Permissions
CVE-2026-50279
7.6HIGH
What is CVE-2026-50279?
In Craft CMS, a flaw exists in the EntriesController::actionSaveEntry() method where permission checks are improperly implemented, allowing low-privileged users to change the authorship of an entry. This can lead to unauthorized author assignments since the existing authorization is not re-evaluated after modifications to the author list. This vulnerability can be exploited if an attacker sends crafted requests that alter author parameters of entries, thus bypassing the necessary permission checks. The issue has been resolved in version 5.9.21.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.9.21
