πŸ” CVE Alert

CVE-2026-50279

UNKNOWN 0.0

Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.

CWE CWE-285
Vendor craftcms
Product cms
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

craftcms / cms
>= 5.0.0-RC1, < 5.9.21

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/craftcms/cms/security/advisories/GHSA-qq2c-2q8j-jh27 github.com: https://github.com/craftcms/cms/commit/9cc493be8b414d7116c7f2bc2a6d0926e73f1248