Description
Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Published: 2026-03-04
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized authorship assignment via mass assignment of authorId, allowing spoofing of entry authorship including admins.
Action: Patch
AI Analysis

Impact

Craft CMS's entry creation prior to version 4.17.0‑beta.1 and 5.9.0‑beta.1 processes the authorId parameter without verifying the current user's authorization. Users with Create Entries permission can inject authorId or authorIds[] into the request, enabling them to attribute new entries to any user, including administrators. This flaw results in unauthorized attribution of content and potential misuse of administrative identity, representing an integrity and trust loss in the system.

Affected Systems

All installations of Craft CMS older than 4.17.0‑beta.1 in the 4.x series and older than 5.9.0‑beta.1 in the 5.x series are vulnerable. The affected products include Craft CMS 4.0.0 through 4.16.x and Craft CMS 5.0.0 through 5.8.x. Users should verify their version and apply the fix.

Risk and Exploitability

The vulnerability scores a CVSS base of 7.1, indicating a high impact if exploited. Exploitation is feasible through the standard entry creation endpoint by any authenticated user possessing the Create Entries permission. The likely attack vector is remote over HTTP, inferred from the fact that the vulnerability is exercised via a POST request to the entry creation endpoint. The probability of exploitation is very low (<1%), and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Because the attacker can impersonate any user, including an admin, the risk to organizational trust and content integrity remains significant.

Generated by OpenCVE AI on April 17, 2026 at 13:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.0‑beta.1 or later, or to 5.9.0‑beta.1 or later, to apply the vendor fix.
  • Restrict the Create Entries permission to trusted users only, ensuring that only authorized personnel can create new content.
  • Validate or disable the authorId/authorIds[] parameters on the entry creation endpoint to prevent unauthorized author assignment, and audit current entries for incorrect authorship.

Generated by OpenCVE AI on April 17, 2026 at 13:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2xfc-g69j-x2mp Craft CMS: Entries Authorship Spoofing via Mass Assignment
History

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
Title Craft Affected by Entries Authorship Spoofing via Mass Assignment
Weaknesses CWE-639
CWE-915
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T17:36:52.722Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28781

cve-icon Vulnrichment

Updated: 2026-03-04T17:36:48.255Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:21.370

Modified: 2026-03-05T19:55:03.383

Link: CVE-2026-28781

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T13:15:19Z

Weaknesses