Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28781

CVE-2026-28781: Craft CMS Auth Bypass Vulnerability

CVE-2026-28781 is an authentication bypass flaw in Craft CMS that allows users with Create Entries permission to spoof authorship by injecting authorId parameters. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-28781 Overview

CVE-2026-28781 is a Mass Assignment vulnerability in Craft CMS, a popular content management system. The flaw exists in the entry creation process, which allows unauthorized assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] or authorId parameter into POST requests, enabling them to attribute new entries to any user—including administrators—without proper authorization checks. This effectively enables authorship spoofing, which can be leveraged for social engineering, audit trail manipulation, or escalating perceived privileges within the CMS.

Critical Impact

Authenticated attackers can spoof entry authorship, attributing content to any user including administrators, potentially undermining content integrity and audit trails.

Affected Products

  • Craft CMS versions prior to 4.17.0-beta.1
  • Craft CMS versions prior to 5.9.0-beta.1
  • All Craft CMS 4.x and 5.x release candidates and stable versions before the fix

Discovery Timeline

  • 2026-03-04 - CVE-2026-28781 published to NVD
  • 2026-03-05 - Last updated in NVD database

Technical Details for CVE-2026-28781

Vulnerability Analysis

This vulnerability is classified as CWE-639: Authorization Bypass Through User-Controlled Key, which falls under the broader category of Broken Access Control. The entry creation endpoint in Craft CMS accepts user-controlled input that directly influences which user is recorded as the author of a new entry. Under normal circumstances, the authorId field is not exposed or editable for users without administrative privileges. However, the backend fails to validate whether the authenticated user has permission to assign authorship to other users before processing the parameter.

The exploitation requires only "Create Entries" permission, which is a relatively common privilege granted to content contributors. By manually adding the authorIds[] or authorId parameter to the POST request body, an attacker can designate any user account—including administrators—as the entry's author. This circumvents the expected access control behavior where only users with elevated permissions can assign entries to others.

Root Cause

The root cause is improper authorization validation during the entry creation process. The Craft CMS backend processes the authorId attribute from the request without verifying if the current user has permission to assign authorship to other users. This is a classic Mass Assignment vulnerability where the application binds user-supplied parameters directly to internal data models without adequate filtering or authorization checks.

Attack Vector

The attack is executed over the network and requires low privileges (an authenticated user with "Create Entries" permission). The attacker crafts a malicious POST request to the entry creation endpoint, injecting the authorId or authorIds[] parameter with the target user's ID. The following describes the attack flow:

  1. The attacker authenticates to Craft CMS with a user account that has "Create Entries" permission
  2. When creating a new entry, the attacker intercepts or crafts the POST request
  3. The attacker injects the authorIds[] or authorId parameter with the ID of the target user (e.g., an administrator)
  4. The backend processes the request without validating the attacker's permission to assign authorship
  5. The new entry is created with the spoofed author attribution

Since no verified code examples are available, organizations should refer to the GitHub Security Advisory GHSA-2xfc-g69j-x2mp for detailed technical information about the vulnerability mechanism and the fix implementation.

Detection Methods for CVE-2026-28781

Indicators of Compromise

  • Entry creation logs showing authorId or authorIds[] parameters in requests from users without author assignment permissions
  • Entries attributed to administrators or privileged users that were created outside their normal activity patterns
  • Audit trail discrepancies where entry authors deny creating specific content

Detection Strategies

  • Implement web application firewall (WAF) rules to flag POST requests to entry creation endpoints containing unexpected authorId or authorIds[] parameters
  • Review Craft CMS access logs for parameter injection attempts in entry creation requests
  • Enable and monitor detailed application-level logging for the entry creation workflow
  • Correlate entry creation events with authenticated user sessions to identify authorship mismatches

Monitoring Recommendations

  • Configure alerting for entries created with author IDs that don't match the authenticated session user
  • Implement periodic audits of content authorship to detect potential spoofing incidents
  • Monitor for unusual patterns in entry creation activity, particularly entries attributed to administrative users

How to Mitigate CVE-2026-28781

Immediate Actions Required

  • Upgrade Craft CMS 4.x installations to version 4.17.0-beta.1 or later
  • Upgrade Craft CMS 5.x installations to version 5.9.0-beta.1 or later
  • Review existing entries for potential authorship spoofing if exploitation is suspected
  • Implement network-level controls to limit access to the CMS administrative interface

Patch Information

Craftcms has released security patches addressing this vulnerability. The fixes are available in versions 4.17.0-beta.1 and 5.9.0-beta.1 and later. The patches implement proper authorization checks to validate that users have permission to assign authorship before processing the authorId parameter.

Relevant commits:

For complete details, see the GitHub Security Advisory GHSA-2xfc-g69j-x2mp.

Workarounds

  • Restrict "Create Entries" permissions to only essential users until patches can be applied
  • Implement application-level filtering to strip authorId and authorIds[] parameters from entry creation requests
  • Use a reverse proxy or WAF to block requests containing unauthorized author assignment parameters
  • Enable strict audit logging on all content creation operations for forensic purposes
bash
# Example: Block authorId parameter injection using nginx
location /admin/entries {
    # Strip authorId parameters for non-admin users
    if ($request_method = POST) {
        set $block_author "";
    }
    # Implement additional request filtering as needed
    # Consult your security team for production configurations
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.