CVE-2026-33162 Overview
CVE-2026-33162 is an authorization bypass vulnerability affecting Craft CMS, a popular content management system. The vulnerability allows authenticated control panel users with minimal permissions (only accessCp) to move entries across sections via the POST /actions/entries/move-to-section endpoint, even when they do not have the required saveEntries:{sectionUid} permission for either the source or destination section. This improper authorization check enables unauthorized content manipulation within the CMS.
Critical Impact
Authenticated attackers with basic control panel access can bypass permission restrictions to move content entries between sections without proper authorization, potentially disrupting content organization and bypassing editorial workflows.
Affected Products
- Craft CMS versions 5.3.0 through 5.9.13
- craftcms craft_cms
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33162 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33162
Vulnerability Analysis
This vulnerability is classified under CWE-285 (Improper Authorization), indicating a failure in the application's access control mechanisms. The vulnerable endpoint /actions/entries/move-to-section does not properly verify that the authenticated user has the necessary saveEntries:{sectionUid} permission before allowing entry movements between sections.
The attack can be executed over the network without requiring any user interaction. An attacker needs only low-privilege authenticated access to the control panel (the accessCp permission). While the vulnerability does not impact confidentiality or availability, it poses a significant integrity risk as unauthorized users can modify the location of content entries within the CMS structure.
Root Cause
The root cause of this vulnerability lies in insufficient permission validation within the entries/move-to-section action handler. The controller action fails to check whether the requesting user possesses the appropriate saveEntries:{sectionUid} permission for both the source section (where the entry currently resides) and the destination section (where the entry is being moved). This missing authorization check allows any user with basic control panel access to invoke the endpoint and move entries arbitrarily.
Attack Vector
The attack is executed over the network by an authenticated user with minimal control panel access. The attacker sends a crafted POST request to the /actions/entries/move-to-section endpoint, specifying target entry IDs and the destination section. Since the server-side code does not validate section-level permissions, the request succeeds despite the user lacking proper authorization.
The vulnerability manifests in the entry movement functionality where permission checks are bypassed. Authenticated users with only accessCp permission can submit POST requests to move entries between sections without the required saveEntries:{sectionUid} authorization. See the GitHub Security Advisory GHSA-f582-6gf6-gx4g for detailed technical information.
Detection Methods for CVE-2026-33162
Indicators of Compromise
- Unusual POST requests to /actions/entries/move-to-section from users without saveEntries permissions
- Audit logs showing entry section changes performed by users with only accessCp privileges
- Unexpected content organization changes or entries appearing in unauthorized sections
Detection Strategies
- Monitor web server access logs for POST requests targeting the /actions/entries/move-to-section endpoint and correlate with user permission levels
- Implement application-level logging to track entry movements and flag operations performed by users lacking appropriate section permissions
- Review Craft CMS audit trails for section movement events and verify the initiating user had proper authorization
Monitoring Recommendations
- Enable detailed logging for all control panel actions in Craft CMS
- Set up alerts for content manipulation events from users with minimal permissions
- Regularly audit user permissions to ensure principle of least privilege is maintained
How to Mitigate CVE-2026-33162
Immediate Actions Required
- Upgrade Craft CMS to version 5.9.14 or later immediately
- Review recent entry movement activity in audit logs to identify potential unauthorized changes
- Temporarily restrict control panel access to only essential users until patching is complete
Patch Information
Craftcms has released version 5.9.14 which addresses this authorization bypass vulnerability. The fix is documented in the GitHub Commit Details and implemented proper permission validation for the entry movement functionality.
For detailed information, review the:
Workarounds
- Restrict control panel access (accessCp permission) to only trusted users who require it for their role
- Implement network-level controls (WAF rules, IP restrictions) to limit access to the Craft CMS control panel
- Monitor and audit the /actions/entries/move-to-section endpoint for suspicious activity until the patch can be applied
# Update Craft CMS via Composer
composer update craftcms/cms:^5.9.14
# Verify the installed version
./craft version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
