Authorization Bypass in Craft CMS by Pixel & Tonic
CVE-2026-50280

6MEDIUM

Key Information:

Vendor

Craftcms

Status
Vendor
CVE Published:
1 July 2026

What is CVE-2026-50280?

In Craft CMS, the EntriesController::actionMoveToSection() allows low-privileged authenticated users to bypass section-level permissions. By exploiting this vulnerability, users can move entries to unauthorized sections where they possess read access without the corresponding write permissions. This breaks the editorial workflows and can lead to unauthorized content injection into secured sections. The issue has been addressed in Craft CMS version 5.9.21, ensuring proper checks are in place for section-level authorizations.

Affected Version(s)

cms >= 5.0.0-RC1, < 5.9.21

References

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.