CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50281

highcovered by 2 sourcesfirst seen 2026-07-02
Summary There is a mass-assignment flaw in the bulk-duplicate element action. Alice, holding only the permission to duplicate an entry she owns, submits an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes Alice’s attributes into Bob’s existing entry row. Details ElementsController::beforeAction() (src/controllers/ElementsController.php:119-124) pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level: $this->_attributes = $this->request->getBodyParams(); // No funny business if (isset($this->_attributes['id']) || isset($this->_attributes['canonicalId'])) { throw new BadRequestHttpException('Changing an element’s ID is not allowed.'); } The check inspects only the top-level payload. actionBulkDuplicate() (src/controllers/ElementsController.php:1708-1749) reads a separate newAttributes array and passes it straight through to the service layer: $elementInfo = $this->request->getRequiredBodyParam('elements'); $newAttributes = $this->request->getRequiredBodyParam('newAttributes'); ... $safeNewAttributes = Collection::make($newAttributes) ->only($element->safeAttributes()) ->all(); ... $newElement = $elementsService->duplicateElement( $element, $safeNewAttributes + $element::baseBulkDuplicateAttributes(), false, checkAuthorization: true, ); Elements::duplicateElement() (src/services/Elements.php:1814-1840) clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(): $mainClone = clone $element; $mainClone->id = null; $mainClone->uid = StringHelper::UUID(); ... Craft::configure($mainClone, ArrayHelper::merge( $newAttributes, $siteAttributes[$mainClone->siteId] ?? [], )); Craft::configure() overwrites the reset id with any numeric value inside $newAttributes.

⚡ Watch CVE-2026-50281

Get an email if CVE-2026-50281 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-50281

CVE.org record

Embed the live status

CVE-2026-50281 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50281 status](https://www.csirts.com/badge/CVE-2026-50281)](https://www.csirts.com/cve/CVE-2026-50281)