CVE-2026-50281
Summary
There is a mass-assignment flaw in the bulk-duplicate element action. Alice, holding only the permission to duplicate an entry she owns, submits an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes Alice’s attributes into Bob’s existing entry row.
Details
ElementsController::beforeAction() (src/controllers/ElementsController.php:119-124) pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level:
$this->_attributes = $this->request->getBodyParams();
// No funny business
if (isset($this->_attributes['id']) || isset($this->_attributes['canonicalId'])) {
throw new BadRequestHttpException('Changing an element’s ID is not allowed.');
}
The check inspects only the top-level payload. actionBulkDuplicate() (src/controllers/ElementsController.php:1708-1749) reads a separate newAttributes array and passes it straight through to the service layer:
$elementInfo = $this->request->getRequiredBodyParam('elements');
$newAttributes = $this->request->getRequiredBodyParam('newAttributes');
...
$safeNewAttributes = Collection::make($newAttributes)
->only($element->safeAttributes())
->all();
...
$newElement = $elementsService->duplicateElement(
$element,
$safeNewAttributes + $element::baseBulkDuplicateAttributes(),
false,
checkAuthorization: true,
);
Elements::duplicateElement() (src/services/Elements.php:1814-1840) clones the source element, sets id to null, and then hands the attacker's array to Craft::configure():
$mainClone = clone $element;
$mainClone->id = null;
$mainClone->uid = StringHelper::UUID();
...
Craft::configure($mainClone, ArrayHelper::merge(
$newAttributes,
$siteAttributes[$mainClone->siteId] ?? [],
));
Craft::configure() overwrites the reset id with any numeric value inside $newAttributes.
⚡ Watch CVE-2026-50281
Get an email if CVE-2026-50281 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.25% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 17% of all EPSS-scored CVEs.
Advisory coverage (2)
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-50281)