Craft CMS, a popular content management system, suffers from an improper authorization vulnerability identified as CVE-2026-33162. This vulnerability exists in versions 5.3.0 up to but not including 5.9.14. The issue arises because authenticated control panel users possessing only the accessCp permission can perform unauthorized actions to move entries between sections by sending POST requests to the /actions/entries/move-to-section endpoint. Critically, these users do not need the saveEntries:{sectionUid} permission for either the source or destination section, which should normally restrict such operations. This improper authorization flaw violates the principle of least privilege, allowing users to alter content structure beyond their intended access rights. The vulnerability is classified under CWE-285 (Improper Authorization) and CWE-862 (Missing Authorization). The attack vector is network-based with low attack complexity, requiring only authenticated access but no additional user interaction. The vulnerability impacts the integrity of content management by enabling unauthorized content relocation, potentially disrupting website structure and content delivery. The issue was addressed and patched in Craft CMS version 5.9.14. No public exploits or active exploitation have been reported to date.

The primary impact of this vulnerability is on the integrity of content within affected Craft CMS installations. Unauthorized users with minimal permissions can move entries across sections, potentially causing content misplacement, confusion, or disruption of website navigation and user experience. This could lead to reputational damage, loss of user trust, and operational challenges for organizations relying on Craft CMS for content delivery. While the vulnerability does not directly expose sensitive data or enable remote code execution, the ability to manipulate content structure without proper authorization can be leveraged for further attacks or social engineering. Organizations with complex content hierarchies or strict content governance policies are particularly at risk. The medium CVSS score reflects moderate risk, as exploitation requires authenticated access but no additional privileges or user interaction. Since Craft CMS is used globally by various organizations, the impact can be widespread if unpatched.

Organizations should upgrade Craft CMS installations to version 5.9.14 or later, where this vulnerability is patched. Until upgrading is possible, administrators should review and tighten user permissions, ensuring that only trusted users have accessCp rights. Implement strict role-based access controls (RBAC) and audit user permissions regularly to prevent unauthorized content manipulation. Monitoring and logging of content modification activities, especially entry movements between sections, can help detect suspicious behavior. Additionally, consider implementing multi-factor authentication (MFA) for control panel access to reduce the risk of compromised credentials. Network-level protections such as IP whitelisting for administrative access and web application firewalls (WAFs) with custom rules to detect anomalous POST requests to the affected endpoint can provide additional layers of defense. Finally, educate content managers and administrators about the importance of applying security patches promptly.