CVE Catalog

CVE-2026-50279

HighCVSS 7.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

16th percentile — higher than 16% of all known CVEs

Summary

In Craft CMS versions 5.0.0-RC1 through 5.9.20, a vulnerability allows bypassing permission checks when saving entries. A low-privileged user can change the author of an entry to another user without the required permissions, leading to authorship spoofing.

Risk Assessment

The risk is that an unauthorized user can reassign entry authorship to another person, potentially compromising content integrity and trust in the content management system.

Recommendation

Immediately update Craft CMS to version 5.9.21 or later, which contains a fix for this vulnerability.

Original NVD description (English source)

Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS