CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-qq2c-2q8j-jh27: Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap

highCVE-2026-50279
Summary EntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. Details The control flow begins in EntriesController.php:249. actionSaveEntry() loads the entry and enforces edit permissions before calling _populateEntryModel(): public function actionSaveEntry(bool $duplicate = false): ?Response { ... $entry = $this->_editableEntry($this->request->getBodyParam('entryId'), $siteId); ... $this->enforceEditEntryPermissions($entry, $duplicate); ... $this->_populateEntryModel($entry); ... $success = Craft::$app->getElements()->saveElement($entry); } The attacker-controlled source is in EntriesController.php:588: $entry->setAttributesFromRequest(array_filter([ 'authorIds' => $this->request->getBodyParam('authors') ?? $this->request->getBodyParam('author') ?? $entry->getAuthorId() ?? static::currentUser()->id, ])); Entry::setAttributesFromRequest() in Entry.php:1124 extracts the new author IDs and applies them if canChangeAuthor() returns true: if ( ($authorIds !== null || $authorId !== null) && $this->canChangeAuthor() ) { $this->_oldAuthorIds = $oldAuthorIds; $this->setAuthorIds($authorIds); } canChangeAuthor() at [Entry.php](/D:/files/projects/cms-5

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
high
Published
2026-07-02
Last updated
2026-07-02
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-qq2c-2q8j-jh27

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-50279coverage & exploitation statusNVD · CVE.org

Same CVEs, other sources

How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.

More from GitHub Security Advisories