Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-qq2c-2q8j-jh27 | Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 01 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS is a content management system (CMS). IN versions 5.0.0-RC1 and above prior to 5.9.21, theEntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model, allowing for authorship spoofing. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission. This issue has been fixed in version 5.9.21. | |
| Title | Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap | |
| Weaknesses | CWE-285 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-02T12:27:42.242Z
Reserved: 2026-06-04T16:26:05.985Z
Link: CVE-2026-50279
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T18:15:04Z
Weaknesses
Github GHSA