Craft CMS is a widely used platform for building digital experiences, including websites and content management systems. Versions 4.0.0-RC1 through before 4.17.0-beta.1 and 5.9.0-beta.1 contain a critical authorization bypass vulnerability (CVE-2026-25497) in the GraphQL API's saveAsset mutation. The flaw arises because while the mutation checks authorization against the volume defined in the GraphQL schema, it retrieves the target asset solely by its ID without confirming that the asset belongs to the authorized volume. This discrepancy allows an authenticated user with write permissions on one asset volume to escalate privileges and modify or transfer assets belonging to other volumes, including those that are restricted or private. This cross-volume asset manipulation violates intended access controls and can lead to unauthorized data exposure or tampering. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key). Exploitation requires authentication with write access but no additional user interaction, making it relatively straightforward for insiders or compromised accounts. The issue was addressed in Craft CMS versions 4.17.0-beta.1 and 5.9.0-beta.1 by properly verifying asset ownership during the saveAsset mutation. Although no public exploits are known, the high CVSS score (8.6) reflects the significant risk posed by this vulnerability.

For European organizations using affected Craft CMS versions, this vulnerability poses a substantial risk to the confidentiality and integrity of digital assets managed via the CMS. Unauthorized modification or transfer of assets across volumes can lead to data leakage, defacement, or unauthorized content distribution, potentially damaging brand reputation and violating data protection regulations such as GDPR. Organizations relying on Craft CMS for managing sensitive or restricted content are particularly at risk, as attackers with write access to any asset volume can escalate privileges to access protected assets. This could also facilitate further attacks by manipulating critical assets or injecting malicious content. The vulnerability does not directly affect availability but can indirectly impact business operations through content integrity loss. Given the ease of exploitation by authenticated users without user interaction, insider threats or compromised accounts represent a significant attack vector. The absence of known exploits in the wild suggests limited current exploitation but also highlights the importance of timely patching to prevent future attacks.

European organizations should immediately assess their Craft CMS installations to identify affected versions (>=4.0.0-RC1 and <4.17.0-beta.1, >=5.0.0-RC1 and <5.8.22). The primary mitigation is to upgrade Craft CMS to versions 4.17.0-beta.1 or later and 5.9.0-beta.1 or later where the vulnerability is fixed. Until patching is possible, organizations should restrict write access to asset volumes to trusted users only and implement strict monitoring of GraphQL API usage to detect anomalous asset modifications or transfers. Employing Web Application Firewalls (WAFs) with custom rules to detect unusual GraphQL mutation patterns may help mitigate exploitation attempts. Additionally, review and tighten user permissions to enforce the principle of least privilege, ensuring users have access only to necessary asset volumes. Regularly audit asset volume ownership and changes to detect unauthorized modifications. Finally, implement strong authentication mechanisms and monitor for compromised accounts to reduce the risk of insider exploitation.