Craft CMS is a widely used content management system that controls website content through sections and entries. Between versions 5.3.0 and before 5.9.14, a vulnerability identified as CVE-2026-33162 allows an authenticated user with minimal control panel access (accessCp permission) to move entries across different sections without possessing the necessary saveEntries permissions for either the source or destination sections. This improper authorization issue arises from insufficient permission checks on the POST /actions/entries/move-to-section endpoint. Normally, moving entries between sections should require explicit saveEntries permissions to prevent unauthorized content manipulation. However, due to this flaw, users can reorganize content arbitrarily, potentially disrupting site structure, content integrity, and editorial workflows. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The issue was addressed and patched in Craft CMS version 5.9.14. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and privileges required at a low level, with high impact on integrity but no impact on confidentiality or availability.

The vulnerability allows unauthorized modification of content organization within Craft CMS installations, which can lead to several adverse effects. Attackers with minimal authenticated access can disrupt website content structure by moving entries between sections without proper authorization, potentially causing confusion, misinformation, or loss of editorial control. This can degrade the integrity of published content, damage brand reputation, and impair user trust. In environments where content sections correspond to different access levels or content types, unauthorized moves could expose sensitive content or violate compliance requirements. Although the vulnerability does not directly expose confidential data or cause denial of service, the integrity impact can be significant for organizations relying heavily on Craft CMS for content management. The requirement for authenticated access limits exploitation to insiders or compromised accounts, but the ease of exploitation and lack of additional user interaction increase risk. Organizations with multiple editors or third-party contributors are particularly vulnerable to misuse or abuse of this flaw.

To mitigate this vulnerability, organizations should upgrade Craft CMS to version 5.9.14 or later, where the authorization checks have been properly enforced. Until upgrading is possible, administrators should restrict control panel access strictly to trusted users and review user permissions to minimize the number of users with accessCp rights. Implementing multi-factor authentication (MFA) for control panel access can reduce the risk of account compromise. Monitoring and auditing content changes, especially moves between sections, can help detect unauthorized activity early. Additionally, consider implementing web application firewalls (WAFs) with custom rules to detect and block suspicious POST requests to /actions/entries/move-to-section. Regularly reviewing and tightening CMS user roles and permissions will also reduce the attack surface. Finally, educating content editors and administrators about the risk and signs of exploitation can improve organizational readiness.