CVE Catalog

CVE-2026-50280

MediumCVSS 6.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.27%

19th percentile — higher than 19% of all known CVEs

Summary

In Craft CMS versions 5.0.0-RC1 through 5.9.20, a vulnerability exists due to improper authorization in the EntriesController::actionMoveToSection() endpoint. An authenticated low-privileged user can move an entry to a section where they have only read access without the required write permissions, breaking the section-level authorization model.

Risk Assessment

The organization faces a risk of editorial boundary violations and bypass of approval workflows, potentially leading to unauthorized content injection into protected sections and disruption of section-specific business logic.

Recommendation

Immediately upgrade Craft CMS to version 5.9.21 or later, which contains the fix for this vulnerability.

Original NVD description (English source)

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS