Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.
Project Subscriptions
No data.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-43cq-c2gq-pfpw | Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check |
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Thu, 02 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 01 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section->uid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21. | |
| Title | Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check | |
| Weaknesses | CWE-284 | |
| References |
| |
| Metrics |
cvssV4_0
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-02T15:39:22.626Z
Reserved: 2026-06-04T16:26:05.985Z
Link: CVE-2026-50280
Updated: 2026-07-02T15:39:19.508Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-02T18:15:04Z
Weaknesses
Github GHSA