CVE-2026-41128: Craft CMS Auth Bypass Vulnerability

CVE-2026-41128 Overview

CVE-2026-41128 is an authorization bypass vulnerability in Craft CMS, a popular content management system. The vulnerability exists in the actionSavePermissions() endpoint, which allows a user with only viewUsers permission to remove arbitrary users from all user groups. While the _saveUserGroups() function enforces per-group authorization checks for group additions, it fails to perform equivalent authorization checks for removals. This asymmetric authorization logic means that submitting an empty groups value removes all existing group memberships without proper verification.

Critical Impact

Low-privileged users with only viewUsers permission can strip group memberships from any user, potentially disrupting access controls across the entire CMS.

Affected Products

• Craft CMS versions 5.6.0 through 5.9.14

Discovery Timeline

• 2026-04-22 - CVE-2026-41128 published to NVD
• 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-41128

Vulnerability Analysis

This vulnerability falls under CWE-862 (Missing Authorization), representing a broken access control issue in Craft CMS's user management functionality. The root problem lies in an inconsistent application of authorization checks between adding and removing users from groups.

When a user attempts to add members to a group, the _saveUserGroups() function correctly verifies that the requesting user has appropriate permissions for that specific group. However, the same function lacks corresponding authorization validation when processing group removals. An attacker who possesses only the viewUsers permission—a relatively common and low-privilege capability—can exploit this oversight to manipulate user group assignments.

The attack surface is network-accessible and requires low complexity to exploit. While the direct confidentiality and integrity impacts are limited, the availability impact to the affected organization can be significant as user access rights are disrupted.

Root Cause

The root cause is a missing authorization check in the _saveUserGroups() function within the actionSavePermissions() endpoint. The code path for group additions includes proper per-group authorization enforcement, but the removal logic was implemented without equivalent security controls. This creates an authorization asymmetry where removals bypass the permission checks that protect additions.

Attack Vector

The attack is conducted over the network against the actionSavePermissions() endpoint. An authenticated attacker with minimal viewUsers permission can craft a request with an empty groups parameter. When the server processes this request, it interprets the empty value as instruction to remove all group memberships from the target user, bypassing the authorization checks that would normally prevent such modifications. This can result in legitimate users losing access to protected resources or administrative functions tied to their group memberships.

The exploitation mechanism involves submitting a POST request to the actionSavePermissions() endpoint with a crafted payload that specifies a target user ID and an empty groups array. Due to the missing authorization check on removals, the system processes this request and strips all group memberships from the targeted user account. For detailed technical information, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-41128

Indicators of Compromise

• Unusual requests to the actionSavePermissions() endpoint from users with only viewUsers permission
• Audit log entries showing user group membership changes where groups were removed without corresponding additions
• Multiple users unexpectedly losing group memberships in a short time frame
• User accounts with empty group assignments that previously had group memberships

Detection Strategies

• Monitor authentication and authorization logs for requests to user management endpoints from low-privileged accounts
• Implement anomaly detection for bulk group membership changes or removal patterns
• Review access logs for requests to actionSavePermissions() with empty or null groups parameters
• Alert on group membership changes made by users who lack explicit group management permissions

Monitoring Recommendations

• Enable detailed logging for all user management operations in Craft CMS
• Implement real-time alerting for group membership modifications, especially bulk removals
• Regularly audit user permissions and group assignments for unexpected changes
• Deploy web application firewall (WAF) rules to detect suspicious parameter patterns in user management requests

How to Mitigate CVE-2026-41128

Immediate Actions Required

• Upgrade Craft CMS to version 5.9.15 or later immediately
• Review audit logs for any suspicious group membership changes since deployment of affected versions
• Verify current user group assignments match expected configurations
• Temporarily restrict viewUsers permission to only trusted administrators until patch is applied

Patch Information

Craft CMS has released version 5.9.15 which contains the fix for this vulnerability. The patch adds proper authorization checks to the group removal logic within _saveUserGroups(), ensuring that the same permission validation applied to group additions is now enforced for removals. The fix can be reviewed in the GitHub commit. Organizations should update through their standard Craft CMS update process using Composer or the control panel update feature.

Workarounds

• Restrict the viewUsers permission to only highly trusted administrators pending upgrade
• Implement additional access controls at the web server or reverse proxy level to limit access to user management endpoints
• Enable comprehensive logging and monitoring for all requests to actionSavePermissions() endpoint
• Consider temporarily disabling user group management features if not critical to operations

# Upgrade Craft CMS using Composer
composer update craftcms/cms:^5.9.15

# Verify the installed version
./craft version