Authorization Bypass in Craft CMS by Pixel & Tonic
CVE-2026-50280
6MEDIUM
What is CVE-2026-50280?
In Craft CMS, the EntriesController::actionMoveToSection() allows low-privileged authenticated users to bypass section-level permissions. By exploiting this vulnerability, users can move entries to unauthorized sections where they possess read access without the corresponding write permissions. This breaks the editorial workflows and can lead to unauthorized content injection into secured sections. The issue has been addressed in Craft CMS version 5.9.21, ensuring proper checks are in place for section-level authorizations.
Affected Version(s)
cms >= 5.0.0-RC1, < 5.9.21
