Description
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
Published: 2026-03-24
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of content via section bypass
Action: Patch immediately
AI Analysis

Impact

A flaw in Craft CMS’s move‑to‑section endpoint allows a user who only holds general control‑panel access, but not the specific saveEntries permission for a section, to relocate any entry to any other section. The issue permits an authenticated attacker to reorder or reclassify content without proper authorization, potentially exposing sensitive materials or altering site structure. The weakness is a classic authorization bypass, reflected in CWE‑285 and CWE‑862.

Affected Systems

Craft CMS versions from 5.3.0 through 5.9.13 are affected. The flaw is present in the core application, and the product affects all sites running the vulnerable releases. Patching to 5.9.14 or later resolves the issue.

Risk and Exploitability

The CVSS score of 4.9 places the vulnerability in the moderate range, while the EPSS score is under 1 % and the vulnerability is not currently listed in KEV. The exploit requires authentication and the ability to reach the control panel; the likely attack vector is an internal or compromised credential gaining access to the CMS admin interface.

Generated by OpenCVE AI on March 26, 2026 at 21:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.14 or later.

Generated by OpenCVE AI on March 26, 2026 at 21:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f582-6gf6-gx4g Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions
History

Thu, 26 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
Title Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
Weaknesses CWE-285
CWE-862
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T13:40:37.056Z

Reserved: 2026-03-17T21:17:08.887Z

Link: CVE-2026-33162

cve-icon Vulnrichment

Updated: 2026-03-25T13:40:32.677Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:10.420

Modified: 2026-03-26T20:41:41.400

Link: CVE-2026-33162

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:53Z

Weaknesses