Description
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Published: 2026-02-09
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

Craft CMS includes a GraphQL API mutation that lets an authenticated user with write permission to an asset volume modify or transfer assets that belong to other volumes, including those that are restricted or private. The mutation verifies authorization against the source volume but does not check that the target asset actually resides in the authorized volume, creating a privilege‑escalation flaw.

Affected Systems

Craft CMS versions from 4.0.0‑RC1 up to, but not including, 4.17.0‑beta.1 and from 5.0.0 up to, but not including, 5.9.0‑beta.1 are affected. All 4.x and 5.x major releases that include the GraphQL API and asset volume handling fall into this range.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.6 (high) and an EPSS score of less than 1%. It is not listed in the CISA KEV catalog. Exploitation requires a valid authenticated account with write access to at least one asset volume; the attacker then sends GraphQL mutations targeting asset IDs in other volumes, bypassing the missing authorization check and enabling unauthorized asset modification or transfer.

Generated by OpenCVE AI on April 18, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.0‑beta.1 or any newer release, or to 5.9.0‑beta.1 or newer, which contain the fix for the GraphQL mutation authorization flaw.
  • If an upgrade cannot be performed immediately, remove write permissions from asset volumes containing sensitive or private assets so that no user can exploit the flaw across volumes.
  • Disable the GraphQL API for non‑administrative users or restrict GraphQL usage to a subset of trusted roles until the vulnerability is patched.

Generated by OpenCVE AI on April 18, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fxp3-g6gw-4r4v Craft CMS: GraphQL Asset Mutation Privilege Escalation
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 09 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Title Craft has a GraphQL Asset Mutation Privilege Escalation
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:07.992Z

Reserved: 2026-02-02T16:31:35.824Z

Link: CVE-2026-25497

cve-icon Vulnrichment

Updated: 2026-02-10T15:30:19.114Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:58.367

Modified: 2026-02-19T19:16:05.023

Link: CVE-2026-25497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses