CVE-2026-50281
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
Craft CMS versions 5.7.0 through 5.9.20 contain a mass-assignment vulnerability in the bulk-duplicate element action. An attacker who can duplicate their own entries can submit an arbitrary id via the newAttributes parameter, leading to overwriting an existing victim entry.
Risk Assessment
The risk involves unauthorized modification or replacement of other users' entries, potentially leading to data integrity breaches and privilege escalation within the CMS.
Recommendation
Immediately upgrade Craft CMS to version 5.9.21 or later, which includes a fix for this vulnerability.
Original NVD description (English source)
Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker's attributes into the victim's existing entry row. ElementsController::beforeAction() pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(), which overwrites the reset id with any numeric value inside $newAttributes. PHP Yii's saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers's title, slug, authorId, postDate, and UID land on the victim's entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21.

