Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-qq2c-2q8j-jh27 | Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap |
Fri, 03 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21. | |
| Title | Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap | |
| Weaknesses | CWE-285 | |
| References |
| |
| Metrics |
cvssV4_0
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-02T12:27:42.242Z
Reserved: 2026-06-04T16:26:05.985Z
Link: CVE-2026-50279
Updated: 2026-07-02T12:27:39.071Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-08T13:00:03Z
Github GHSA