Description
Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.
Published: 2026-04-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Removal of User Group Memberships
Action: Apply Patch
AI Analysis

Impact

Craft CMS versions 5.6.0 through 5.9.14 contain a missing authorization check that allows any authenticated user with the minimal viewUsers permission to submit an empty groups list to the actionSavePermissions endpoint, which removes all users from their groups. This oversight effectively lets an authorized user alter or remove the group memberships of any other user, potentially causing loss of privileges or disabling of user accounts. The flaw is an instance of an Authorization Bypass (CWE‑862).

Affected Systems

The vulnerability affects Craft CMS, v5.6.0 to v5.9.14. A patch was released in version 5.9.15, so all installations running any version in that range are impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable only by users with at least viewUsers permission; an attacker would need to be authenticated and able to submit a crafted request to the save-permissions endpoint. Because the attack requires existing legitimate privileges, the risk is primarily internal. Upgrading to a fixed version distinguishes the environment from exposure.

Generated by OpenCVE AI on April 22, 2026 at 06:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Craft CMS 5.9.15 or later to resolve the missing authorization check.
  • Revoke or restrict the viewUsers permission from users who do not require it to view user data.
  • Enable logging or audit trails for user group changes to detect unauthorized modifications.

Generated by OpenCVE AI on April 22, 2026 at 06:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch.
Title Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T23:32:37.911Z

Reserved: 2026-04-17T12:59:15.737Z

Link: CVE-2026-41128

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:28.593

Modified: 2026-04-22T00:16:28.593

Link: CVE-2026-41128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses