{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28781", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.244Z", "datePublished": "2026-03-04T16:31:39.357Z", "dateUpdated": "2026-03-04T17:36:52.722Z"}, "containers": {"cna": {"title": "Craft Affected by Entries Authorship Spoofing via Mass Assignment", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-915", "lang": "en", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"}, {"name": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"}, {"name": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.9.0-beta.1", "status": "affected"}, {"version": ">= 4.0.0-RC1, < 4.17.0-beta.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T16:31:39.357Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1."}], "source": {"advisory": "GHSA-2xfc-g69j-x2mp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T17:36:36.759532Z", "id": "CVE-2026-28781", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T17:36:52.722Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28781", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-04T17:36:36.759532Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T17:36:48.255Z"}}], "cna": {"title": "Craft Affected by Entries Authorship Spoofing via Mass Assignment", "source": {"advisory": "GHSA-2xfc-g69j-x2mp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, < 5.9.0-beta.1"}, {"status": "affected", "version": ">= 4.0.0-RC1, < 4.17.0-beta.1"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "name": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542", "name": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-915", "description": "CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-04T16:31:39.357Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28781", "state": "PUBLISHED", "dateUpdated": "2026-03-04T17:36:52.722Z", "dateReserved": "2026-03-03T14:25:19.244Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-04T16:31:39.357Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD3AD543-D77F-4B2E-AF8D-1C7C724BD26D", "versionEndExcluding": "4.17.0", "versionStartExcluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "81B9164E-4845-4D81-A841-378CE4E32485", "versionEndExcluding": "5.9.0", "versionStartExcluding": "5.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "610F6DE9-720F-45B3-81D5-18E7F6B090FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "CC2F40FC-7C27-456A-B16D-679410D1D5CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "FBAA8227-04F8-404C-907B-B0162B325F5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "21B28E2C-327A-4CE6-ACAD-97E459712A55", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with \"Create Entries\" permission can inject the authorIds[] (or authorId) parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, including Admins. This effectively \"spoofs\" the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1."}], "id": "CVE-2026-28781", "lastModified": "2026-03-05T19:55:03.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-04T17:16:21.370", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/830b403870cd784b47ae42a3f5a16e7ac2d7f5a8"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/c6dcbdffaf6ab3ffe77d317336684d83699f4542"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2xfc-g69j-x2mp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-915"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.9.0-beta.1)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0.0-RC1,4.17.0-beta.1)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-17T13:09:51.564636+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to version 4.17.0\u2011beta.1 or later, or to 5.9.0\u2011beta.1 or later, to apply the vendor fix.", "Restrict the Create Entries permission to trusted users only, ensuring that only authorized personnel can create new content.", "Validate or disable the authorId/authorIds[] parameters on the entry creation endpoint to prevent unauthorized author assignment, and audit current entries for incorrect authorship."], "summary": {"action": "Patch", "impact": "Unauthorized authorship assignment via mass assignment of authorId, allowing spoofing of entry authorship including admins."}, "threat_synthesis": {"affected_systems": "All installations of Craft CMS older than 4.17.0\u2011beta.1 in the 4.x series and older than 5.9.0\u2011beta.1 in the 5.x series are vulnerable. The affected products include Craft CMS 4.0.0 through 4.16.x and Craft CMS 5.0.0 through 5.8.x. Users should verify their version and apply the fix.", "description_and_impact": "Craft CMS's entry creation prior to version 4.17.0\u2011beta.1 and 5.9.0\u2011beta.1 processes the authorId parameter without verifying the current user's authorization. Users with Create Entries permission can inject authorId or authorIds[] into the request, enabling them to attribute new entries to any user, including administrators. This flaw results in unauthorized attribution of content and potential misuse of administrative identity, representing an integrity and trust loss in the system.", "risk_and_exploitability": "The vulnerability scores a CVSS base of 7.1, indicating a high impact if exploited. Exploitation is feasible through the standard entry creation endpoint by any authenticated user possessing the Create Entries permission. The likely attack vector is remote over HTTP, inferred from the fact that the vulnerability is exercised via a POST request to the entry creation endpoint. The probability of exploitation is very low (<1%), and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. Because the attacker can impersonate any user, including an admin, the risk to organizational trust and content integrity remains significant."}}}}, "created": "2026-03-05T09:07:00.824909+00:00", "updated": "2026-04-17T13:15:19.681904+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}