๐Ÿ” CVE Alert

CVE-2026-50280

UNKNOWN 0.0

Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check

CVSS Score
0.0
EPSS Score
0.3%
EPSS Percentile
19th

Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.

CWE CWE-284
Vendor craftcms
Product cms
Published Jul 1, 2026
Last Updated Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

craftcms / cms
>= 5.0.0-RC1, < 5.9.21

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/craftcms/cms/security/advisories/GHSA-43cq-c2gq-pfpw github.com: https://github.com/craftcms/cms/commit/0a6b916f6367b0162b2eaf2366add67b45fa98ea