CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50279

highcovered by 2 sourcesfirst seen 2026-07-02
Summary EntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. Details The control flow begins in EntriesController.php:249. actionSaveEntry() loads the entry and enforces edit permissions before calling _populateEntryModel(): public function actionSaveEntry(bool $duplicate = false): ?Response { ... $entry = $this->_editableEntry($this->request->getBodyParam('entryId'), $siteId); ... $this->enforceEditEntryPermissions($entry, $duplicate); ... $this->_populateEntryModel($entry); ... $success = Craft::$app->getElements()->saveElement($entry); } The attacker-controlled source is in EntriesController.php:588: $entry->setAttributesFromRequest(array_filter([ 'authorIds' => $this->request->getBodyParam('authors') ?? $this->request->getBodyParam('author') ?? $entry->getAuthorId() ?? static::currentUser()->id, ])); Entry::setAttributesFromRequest() in Entry.php:1124 extracts the new author IDs and applies them if canChangeAuthor() returns true: if ( ($authorIds !== null || $authorId !== null) && $this->canChangeAuthor() ) { $this->_oldAuthorIds = $oldAuthorIds; $this->setAuthorIds($authorIds); } canChangeAuthor() at [Entry.php](/D:/files/projects/cms-5

⚡ Watch CVE-2026-50279

Get an email if CVE-2026-50279 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-50279

CVE.org record

Embed the live status

CVE-2026-50279 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50279 status](https://www.csirts.com/badge/CVE-2026-50279)](https://www.csirts.com/cve/CVE-2026-50279)