CVE-2026-28781 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and CWE-915 (Improper Authorization). The flaw exists in Craft CMS's entry creation process prior to versions 4.17.0-beta.1 and 5.9.0-beta.1. Specifically, the system allows mass assignment of the 'authorId' attribute when creating entries. A user with the 'Create Entries' permission can inject the 'authorIds[]' or 'authorId' parameter into the POST request. The backend processes this parameter without verifying whether the user is authorized to assign authorship to other users. Normally, users without explicit permission to assign authorship do not have this field present in their requests. By manipulating this parameter, an attacker can attribute new content entries to any user account, including administrators, effectively spoofing authorship. This can undermine content integrity, audit trails, and accountability within the CMS. The vulnerability is remotely exploitable over the network without requiring user interaction or elevated privileges beyond 'Create Entries'. The CVSS 4.0 score is 7.1 (high), reflecting network attack vector, low complexity, no privileges required beyond 'Create Entries', no user interaction, and high impact on integrity. The flaw was reserved on March 3, 2026, and published on March 4, 2026. No public exploits are known at this time. The issue is resolved in Craft CMS versions 4.17.0-beta.1 and 5.9.0-beta.1 by enforcing proper authorization checks on the authorId attribute during entry creation.

This vulnerability can have significant impacts on organizations using affected versions of Craft CMS. By allowing unauthorized assignment of authorship, attackers can spoof content ownership, potentially misleading internal audits, content approval workflows, and accountability mechanisms. This can facilitate further social engineering or privilege escalation attempts if attackers attribute malicious content to trusted administrators. It may also disrupt content management processes and damage organizational reputation if unauthorized or malicious content appears to originate from privileged users. Although the vulnerability does not directly allow privilege escalation or data exfiltration, the integrity impact is high, as it undermines trust in content provenance. Organizations relying on Craft CMS for public-facing websites or internal portals may face reputational damage or operational disruption. The ease of exploitation and network accessibility increase the risk of widespread abuse, especially in environments where many users have 'Create Entries' permissions. No known exploits in the wild reduce immediate risk, but the vulnerability should be treated as urgent due to its potential misuse.

Organizations should upgrade Craft CMS installations to version 4.17.0-beta.1 or later, or 5.9.0-beta.1 or later, where the vulnerability is fixed. Until upgrades can be applied, administrators should audit user permissions and restrict the 'Create Entries' permission to trusted users only, minimizing the attack surface. Implementing web application firewalls (WAFs) with custom rules to detect and block POST requests containing unauthorized 'authorId' or 'authorIds[]' parameters can provide temporary protection. Monitoring CMS logs for unusual author assignment patterns or unexpected content authorship changes can help detect exploitation attempts. Additionally, organizations should review content approval workflows to include verification of authorship changes and consider multi-factor authentication for administrative accounts to reduce risk from spoofed authorship. Regular security assessments and penetration testing focusing on CMS authorization controls are recommended to identify similar weaknesses.