Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Published: 2026-03-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized content duplication via permission bypass
Action: Patch
AI Analysis

Impact

Craft CMS allows a user with only view permissions to duplicate entries that belong to other users. The duplicate action bypasses the permission check that the interface shows, and an attacker can supply arbitrary entry IDs. Because entry IDs are sequential, an attacker can brute‑force many IDs to access or copy restricted content. The weakness is a classic IDOR/privilege escalation flaw (CWE‑639).

Affected Systems

The vulnerability affects Craft CMS installations running any version earlier than 5.9.0‑beta.1 or 4.17.0‑beta.1. These include all releases 4.x and 5.x prior to the mentioned beta releases.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. EPSS is below 1 %, suggesting low current exploitation probability, and the issue is not listed in CISA’s KEV catalog. Attackers can exploit the flaw by sending a crafted HTTP request directly to the duplicate endpoint, optionally brute‑forcing entry IDs because they are incremental. Successful exploitation allows duplication of any entry the victim can view, exposing sensitive content across the system. The vulnerability requires no special user privileges beyond a view‑only role and no advanced skills, meaning a broad range of attackers could potentially target it.

Generated by OpenCVE AI on April 16, 2026 at 13:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.0‑beta.1, 5.9.0‑stable, 4.17.0‑beta.1, or any later release. This removes the permission check on the duplicate action and closes the IDOR.
  • If an immediate upgrade is not possible, restrict direct access to the duplicate endpoint by implementing network or application‑level controls that enforce permission checks before the request reaches the CMS. This can be achieved by configuring web‑application firewall rules or by updating .htaccess/NGINX rules to block unauthorized POSTs to /actions/Entry/saveEntryDuplicate or similar paths.
  • Review user permissions to ensure that users with only view rights are not assigned extra roles that grant duplicate capability, and consider removing the duplicate action from the UI for view‑only roles.

Generated by OpenCVE AI on April 16, 2026 at 13:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxm3-pmm2-9gf6 Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action
History

Thu, 05 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Thu, 05 Mar 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 04 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
Title Craft has a Permission Bypass and IDOR in Duplicate Entry Action
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T17:35:08.922Z

Reserved: 2026-03-03T14:25:19.244Z

Link: CVE-2026-28782

cve-icon Vulnrichment

Updated: 2026-03-04T17:35:03.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-04T17:16:21.533

Modified: 2026-03-05T19:55:33.597

Link: CVE-2026-28782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T13:45:21Z

Weaknesses