CVE-2026-28782: CWE-639: Authorization Bypass Through User-Controlled Key in craftcms cms
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
AI Analysis
Technical Summary
Craft CMS, a widely used content management system, suffers from an authorization bypass vulnerability identified as CVE-2026-28782 (CWE-639). The vulnerability exists in the 'Duplicate' entry action prior to versions 5.9.0-beta.1 and 4.17.0-beta.1. Normally, the CMS restricts the duplication of entries based on user permissions, allowing only authorized users to duplicate specific content. However, due to improper permission verification on the server side, users with only 'View Entries' permission—who are not authorized to duplicate entries—can bypass these restrictions by sending direct HTTP requests to the duplication endpoint. The vulnerability is exacerbated by the use of incremental Entry IDs, which attackers can brute-force to enumerate and duplicate entries belonging to other users. This leads to unauthorized duplication and potential exposure of restricted content. The flaw does not require user interaction or elevated privileges beyond view access, making exploitation relatively straightforward. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No known exploits are reported in the wild as of the publication date. The issue is resolved in Craft CMS versions 5.9.0-beta.1 and 4.17.0-beta.1 by properly enforcing permission checks on the duplication action.
Potential Impact
This vulnerability primarily impacts the confidentiality of content managed within Craft CMS instances. Attackers with minimal permissions can access and duplicate entries they should not be able to, potentially exposing sensitive or proprietary information. This can lead to data leakage, intellectual property theft, or unauthorized content manipulation. Organizations relying on Craft CMS for managing critical or sensitive content may face reputational damage, compliance violations, or competitive disadvantage if exploited. The ease of exploitation—no elevated privileges or user interaction required—and the ability to brute-force Entry IDs increase the risk of widespread unauthorized access within affected systems. While the vulnerability does not directly impact system availability or integrity, the unauthorized duplication and exposure of content can have significant operational and business consequences.
Mitigation Recommendations
Organizations should upgrade Craft CMS to versions 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later, where the vulnerability is patched. Until upgrading is possible, administrators should restrict 'View Entries' permissions to trusted users only and monitor logs for suspicious duplication requests or unusual activity involving entry duplication endpoints. Implementing web application firewall (WAF) rules to detect and block anomalous requests targeting duplication functionality can reduce exploitation risk. Additionally, consider obfuscating or randomizing Entry IDs if customization is feasible to hinder brute-force enumeration. Regularly audit user permissions to ensure least privilege principles are enforced, minimizing the number of users with view-only access. Finally, maintain vigilant monitoring and incident response capabilities to quickly detect and respond to potential exploitation attempts.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, Netherlands, France, Japan, South Korea, Brazil
CVE-2026-28782: CWE-639: Authorization Bypass Through User-Controlled Key in craftcms cms
Description
Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission (where the "Duplicate" action is restricted in the UI), a user can bypass this restriction by sending a direct request. Furthermore, this vulnerability allows duplicating other users' entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.
AI-Powered Analysis
Technical Analysis
Craft CMS, a widely used content management system, suffers from an authorization bypass vulnerability identified as CVE-2026-28782 (CWE-639). The vulnerability exists in the 'Duplicate' entry action prior to versions 5.9.0-beta.1 and 4.17.0-beta.1. Normally, the CMS restricts the duplication of entries based on user permissions, allowing only authorized users to duplicate specific content. However, due to improper permission verification on the server side, users with only 'View Entries' permission—who are not authorized to duplicate entries—can bypass these restrictions by sending direct HTTP requests to the duplication endpoint. The vulnerability is exacerbated by the use of incremental Entry IDs, which attackers can brute-force to enumerate and duplicate entries belonging to other users. This leads to unauthorized duplication and potential exposure of restricted content. The flaw does not require user interaction or elevated privileges beyond view access, making exploitation relatively straightforward. The vulnerability has a CVSS 4.0 base score of 5.3, reflecting medium severity, with network attack vector, low attack complexity, no privileges required, and no user interaction needed. No known exploits are reported in the wild as of the publication date. The issue is resolved in Craft CMS versions 5.9.0-beta.1 and 4.17.0-beta.1 by properly enforcing permission checks on the duplication action.
Potential Impact
This vulnerability primarily impacts the confidentiality of content managed within Craft CMS instances. Attackers with minimal permissions can access and duplicate entries they should not be able to, potentially exposing sensitive or proprietary information. This can lead to data leakage, intellectual property theft, or unauthorized content manipulation. Organizations relying on Craft CMS for managing critical or sensitive content may face reputational damage, compliance violations, or competitive disadvantage if exploited. The ease of exploitation—no elevated privileges or user interaction required—and the ability to brute-force Entry IDs increase the risk of widespread unauthorized access within affected systems. While the vulnerability does not directly impact system availability or integrity, the unauthorized duplication and exposure of content can have significant operational and business consequences.
Mitigation Recommendations
Organizations should upgrade Craft CMS to versions 5.9.0-beta.1 or later, or 4.17.0-beta.1 or later, where the vulnerability is patched. Until upgrading is possible, administrators should restrict 'View Entries' permissions to trusted users only and monitor logs for suspicious duplication requests or unusual activity involving entry duplication endpoints. Implementing web application firewall (WAF) rules to detect and block anomalous requests targeting duplication functionality can reduce exploitation risk. Additionally, consider obfuscating or randomizing Entry IDs if customization is feasible to hinder brute-force enumeration. Regularly audit user permissions to ensure least privilege principles are enforced, minimizing the number of users with view-only access. Finally, maintain vigilant monitoring and incident response capabilities to quickly detect and respond to potential exploitation attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-03T14:25:19.244Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a86252d1a09e29cb4c0647
Added to database: 3/4/2026, 4:48:18 PM
Last enriched: 3/4/2026, 5:03:21 PM
Last updated: 3/4/2026, 6:03:58 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-20149: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Cisco Cisco Webex Meetings
MediumCVE-2026-20082: Missing Release of Resource after Effective Lifetime in Cisco Cisco Secure Firewall Adaptive Security Appliance (ASA) Software
HighCVE-2026-20007: Improper Access Control in Cisco Cisco Secure Firewall Threat Defense (FTD) Software
MediumCVE-2026-20006: Error Handling in Cisco Cisco Secure Firewall Threat Defense (FTD) Software
MediumCVE-2025-70218: n/a
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.