Description
Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker's attributes into the victim's existing entry row. ElementsController::beforeAction() pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(), which overwrites the reset id with any numeric value inside $newAttributes. PHP Yii's saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers's title, slug, authorId, postDate, and UID land on the victim's entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21.
Published: 2026-07-02
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS contains a mass‑assignment flaw in the bulk‑duplicate element action. When an attacker duplicates their own entries, they can submit an arbitrary numeric id in the newAttributes request parameter. The duplication routine resets its internal id to null, but the supplied id is re‑applied during configuration, causing the underlying save operation to perform an UPDATE against the target entry row instead of an INSERT. As a result, the attacker's title, slug, authorId, postDate, and UID overwrite the victim's entry data. This vulnerability is a classic example of CWE‑915, where improper handling of input leads to unintended writes.

Affected Systems

Craft CMS versions 5.7.0 up to but not including 5.9.21 are affected. The vulnerability is fixed starting with version 5.9.21.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity. The EPSS score is <1%, indicating a very low exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog, implying no known active exploitation at this time. The likely attack vector requires an authenticated user who can perform bulk‑duplicate operations on their own entries; the flaw allows that user to overwrite arbitrary existing entries by supplying a target id.

Generated by OpenCVE AI on July 3, 2026 at 17:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.21 or later. This applies the vendor’s fix for the mass‑assignment flaw.
  • Restrict use of the bulk‑duplicate element action to trusted users, or disable the feature entirely if it is not needed.
  • Audit existing entries and database logs for unexpected updates that may indicate exploitation of the mass‑assignment flaw.
  • Apply tighter permissions to the remove/edit aspects of the bulk‑duplicate functionality to limit potential impact.

Generated by OpenCVE AI on July 3, 2026 at 17:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-x5m4-g2cq-52pq Craft CMS's mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
History

Thu, 02 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 16:45:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). Versions 5.7.0 and above, prior to 5.9.21 contain a mass-assignment flaw in the bulk-duplicate element action. An attacker who is only able to duplicate their own entires can submit an arbitrary id through the newAttributes request parameter. The duplication routine overrides its own id = null reset with that value and writes the attacker's attributes into the victim's existing entry row. ElementsController::beforeAction() pulls the request body into $this->_attributes and rejects requests that ship an id or canonicalId key at the top level, actionBulkDuplicate(), reads a separate newAttributes array and passes it straight through to the service layer. Elements::duplicateElement() clones the source element, sets id to null, and then hands the attacker's array to Craft::configure(), which overwrites the reset id with any numeric value inside $newAttributes. PHP Yii's saveElement() then performs an UPDATE against the row with that primary key instead of an INSERT. The attackers's title, slug, authorId, postDate, and UID land on the victim's entry. safeAttributes() on Entry includes id because the base element model exposes it, so the Collection::only() filter does not strip it. This issue has been fixed in version 5.9.21.
Title Craft CMS: Mass assignment via id in newAttributes during bulk duplicate overwrites existing elements
Weaknesses CWE-915
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-02T19:44:23.581Z

Reserved: 2026-06-04T16:26:05.985Z

Link: CVE-2026-50281

cve-icon Vulnrichment

Updated: 2026-07-02T19:44:18.395Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T18:00:12Z

Weaknesses
  • CWE-915

    Improperly Controlled Modification of Dynamically-Determined Object Attributes