Description
Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textpattern/include/txp_article.php, an attacker can bypass authorization checks and overwrite content belonging to other users.
Published: 2026-04-21
Score: n/a
EPSS: n/a
KEV: No
Impact: Unauthorized modification of content owned by higher-privilege users via broken access control
Action: Patch immediately
AI Analysis

Impact

Textpattern CMS 4.9.0 contains a broken access control flaw that enables authenticated users with low privileges to alter articles belonging to users with higher privileges. The vulnerability arises when the article ID parameter is manipulated during the duplicate-and-save workflow in txp_article.php, allowing an attacker to bypass authorization checks and overwrite target content. This flaw can be leveraged to tamper with confidential or strategically important articles, impacting the integrity of published material and potentially leading to misinformation or loss of trust.

Affected Systems

The vulnerability affects Textpattern CMS version 4.9.0 and potentially earlier releases that have not applied the patch included in the 4.9.1 security release. It specifically targets the article management subsystem located in txp_article.php and the duplicate-and-save operation exposed to authenticated users.

Risk and Exploitability

Although EPSS data is unavailable and the vulnerability is not listed in CISA KEV, the flaw permits privilege escalation within the CMS, enabling attackers to modify content that would otherwise be protected. Based on the description, the likely attack vector is an authenticated user who can control the article ID parameter during duplication. The high potential for compromising content integrity suggests a severe risk posture, warranting immediate attention.

Generated by OpenCVE AI on April 21, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch released in Textpattern CMS 4.9.1 or later to fix the broken access control issue.
  • If a patch is not immediately deployable, restrict duplicate-and-save functionality for low‑privilege user groups using the CMS permission settings to block the ability to manipulate article IDs.
  • Configure your web server to restrict direct access to txp_article.php or use URL rewriting rules to prevent unauthenticated manipulation of article identifiers.

Generated by OpenCVE AI on April 21, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Textpattern
Textpattern textpattern
Vendors & Products Textpattern
Textpattern textpattern

Tue, 21 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Description Textpattern CMS 4.9.0 contains a Broken Access Control vulnerability in the article management system that allows authenticated users with low privileges to modify articles owned by users with higher privileges. By manipulating the article ID parameter during the duplicate-and-save workflow in textpattern/include/txp_article.php, an attacker can bypass authorization checks and overwrite content belonging to other users.
References

Subscriptions

Textpattern Textpattern
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-21T16:32:19.608Z

Reserved: 2026-03-04T00:00:00.000Z

Link: CVE-2026-30452

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-21T17:16:36.303

Modified: 2026-04-21T17:16:36.303

Link: CVE-2026-30452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:15:03Z

Weaknesses

No weakness.