Description

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively "spoofs" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

INFO

Published Date :

2026-03-04T16:31:39.357Z

Last Modified :

2026-03-04T17:36:52.722Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28781 vulnerability.

Vendors Products
Craftcms
  • Craft Cms
  • Craftcms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28781.

URL Resource
https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8 cve-icon cve-icon
https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact