CVE-2026-50280
MediumCVSS 6.0Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In Craft CMS versions 5.0.0-RC1 through 5.9.20, a vulnerability exists due to improper authorization in the EntriesController::actionMoveToSection() endpoint. An authenticated low-privileged user can move an entry to a section where they have only read access without the required write permissions, breaking the section-level authorization model.
Risk Assessment
The organization faces a risk of editorial boundary violations and bypass of approval workflows, potentially leading to unauthorized content injection into protected sections and disruption of section-specific business logic.
Recommendation
Immediately upgrade Craft CMS to version 5.9.21 or later, which contains the fix for this vulnerability.
Original NVD description (English source)
Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.

