GHSA-QQ2C-2Q8J-JH27
Vulnerability from github – Published: 2026-07-02 18:45 – Updated: 2026-07-02 18:45Summary
EntriesController::actionSaveEntry() performs entry-edit permission checks before request-controlled author changes are applied to the model. The subsequent author mutation path accepts attacker-supplied authors / author parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry’s authorship to another user without holding the dedicated peer-author-change permission.
Details
The control flow begins in EntriesController.php:249. actionSaveEntry() loads the entry and enforces edit permissions before calling _populateEntryModel():
public function actionSaveEntry(bool $duplicate = false): ?Response
{
...
$entry = $this->_editableEntry($this->request->getBodyParam('entryId'), $siteId);
...
$this->enforceEditEntryPermissions($entry, $duplicate);
...
$this->_populateEntryModel($entry);
...
$success = Craft::$app->getElements()->saveElement($entry);
}
The attacker-controlled source is in EntriesController.php:588:
$entry->setAttributesFromRequest(array_filter([
'authorIds' => $this->request->getBodyParam('authors') ??
$this->request->getBodyParam('author') ??
$entry->getAuthorId() ??
static::currentUser()->id,
]));
Entry::setAttributesFromRequest() in Entry.php:1124 extracts the new author IDs and applies them if canChangeAuthor() returns true:
if (
($authorIds !== null || $authorId !== null) &&
$this->canChangeAuthor()
) {
$this->_oldAuthorIds = $oldAuthorIds;
$this->setAuthorIds($authorIds);
}
canChangeAuthor() at Entry.php:2789 allows the author change when the current user can view peer entries and is already one of the existing authors:
return (
empty($authorIds) ||
in_array($user->id, $authorIds) ||
$user->can("changeAuthorForPeerEntries:$section->uid")
);
After the author list is mutated, the controller does not re-check authorization.
This closes the exploit chain:
- External source: authenticated request to
entries/save-entrywith attacker-controlledauthors[]. - Trust boundary failure: authorization is checked on the pre-mutation entry state, not on the post-mutation author assignment.
- Privileged sink: the author relationship is rewritten in persistent storage.
Preconditions derived from the source:
- The attacker is authenticated and can edit entry
345. - The attacker is among the existing authors of entry
345, or otherwise satisfiescanChangeAuthor()through the old author set. - The attacker has
viewPeerEntriesfor the section. - User ID
1exists and can be assigned as an author in that section.
Result:
enforceEditEntryPermissions()succeeds on the original entry state._populateEntryModel()readsauthors[]=1from the request body.setAttributesFromRequest()updatesauthorIdsbecausecanChangeAuthor()is evaluated against the old authorship state.saveElement()persists the change and_saveAuthors()rewrites the entry-author relation.- Entry
345now appears authored by user1.
Impact
This allows low-privileged users to falsify content ownership and alter the authorship of entries without having the dedicated author-management permission. The impact includes corrupted audit trails, misleading notifications, broken approval workflows, and unauthorized reassignment of content responsibility.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "craftcms/cms"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-RC1"
},
{
"fixed": "5.9.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-50279"
],
"database_specific": {
"cwe_ids": [
"CWE-285"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-02T18:45:28Z",
"nvd_published_at": "2026-07-02T00:16:44Z",
"severity": "HIGH"
},
"details": "### Summary\n\n`EntriesController::actionSaveEntry()` performs entry-edit permission checks before request-controlled author changes are applied to the model. The subsequent author mutation path accepts attacker-supplied `authors` / `author` parameters and allows the change when the current user is one of the old authors. Because the controller does not re-run authorization after mutating the author list, a low-privileged user can reassign an entry\u2019s authorship to another user without holding the dedicated peer-author-change permission.\n\n### Details\nThe control flow begins in [EntriesController.php](/D:/files/projects/cms-5.9.19/cms-5.9.19/src/controllers/EntriesController.php):249. `actionSaveEntry()` loads the entry and enforces edit permissions before calling `_populateEntryModel()`:\n\n```php\npublic function actionSaveEntry(bool $duplicate = false): ?Response\n{\n ...\n $entry = $this-\u003e_editableEntry($this-\u003erequest-\u003egetBodyParam(\u0027entryId\u0027), $siteId);\n ...\n $this-\u003eenforceEditEntryPermissions($entry, $duplicate);\n ...\n $this-\u003e_populateEntryModel($entry);\n ...\n $success = Craft::$app-\u003egetElements()-\u003esaveElement($entry);\n}\n```\n\nThe attacker-controlled source is in [EntriesController.php](/D:/files/projects/cms-5.9.19/cms-5.9.19/src/controllers/EntriesController.php):588:\n\n```php\n$entry-\u003esetAttributesFromRequest(array_filter([\n \u0027authorIds\u0027 =\u003e $this-\u003erequest-\u003egetBodyParam(\u0027authors\u0027) ??\n $this-\u003erequest-\u003egetBodyParam(\u0027author\u0027) ??\n $entry-\u003egetAuthorId() ??\n static::currentUser()-\u003eid,\n]));\n```\n\n`Entry::setAttributesFromRequest()` in [Entry.php](/D:/files/projects/cms-5.9.19/cms-5.9.19/src/elements/Entry.php):1124 extracts the new author IDs and applies them if `canChangeAuthor()` returns true:\n\n```php\nif (\n ($authorIds !== null || $authorId !== null) \u0026\u0026\n $this-\u003ecanChangeAuthor()\n) {\n $this-\u003e_oldAuthorIds = $oldAuthorIds;\n $this-\u003esetAuthorIds($authorIds);\n}\n```\n\n`canChangeAuthor()` at [Entry.php](/D:/files/projects/cms-5.9.19/cms-5.9.19/src/elements/Entry.php):2789 allows the author change when the current user can view peer entries and is already one of the existing authors:\n\n```php\nreturn (\n empty($authorIds) ||\n in_array($user-\u003eid, $authorIds) ||\n $user-\u003ecan(\"changeAuthorForPeerEntries:$section-\u003euid\")\n);\n```\n\nAfter the author list is mutated, the controller does not re-check authorization. \n\nThis closes the exploit chain:\n\n1. External source: authenticated request to `entries/save-entry` with attacker-controlled `authors[]`.\n2. Trust boundary failure: authorization is checked on the pre-mutation entry state, not on the post-mutation author assignment.\n3. Privileged sink: the author relationship is rewritten in persistent storage.\n\nPreconditions derived from the source:\n\n1. The attacker is authenticated and can edit entry `345`.\n2. The attacker is among the existing authors of entry `345`, or otherwise satisfies `canChangeAuthor()` through the old author set.\n3. The attacker has `viewPeerEntries` for the section.\n4. User ID `1` exists and can be assigned as an author in that section.\n\nResult:\n\n1. `enforceEditEntryPermissions()` succeeds on the original entry state.\n2. `_populateEntryModel()` reads `authors[]=1` from the request body.\n3. `setAttributesFromRequest()` updates `authorIds` because `canChangeAuthor()` is evaluated against the old authorship state.\n4. `saveElement()` persists the change and `_saveAuthors()` rewrites the entry-author relation.\n5. Entry `345` now appears authored by user `1`.\n\n### Impact\n\nThis allows low-privileged users to falsify content ownership and alter the authorship of entries without having the dedicated author-management permission. The impact includes corrupted audit trails, misleading notifications, broken approval workflows, and unauthorized reassignment of content responsibility.",
"id": "GHSA-qq2c-2q8j-jh27",
"modified": "2026-07-02T18:45:28Z",
"published": "2026-07-02T18:45:28Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-qq2c-2q8j-jh27"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50279"
},
{
"type": "WEB",
"url": "https://github.com/craftcms/cms/commit/9cc493be8b414d7116c7f2bc2a6d0926e73f1248"
},
{
"type": "PACKAGE",
"url": "https://github.com/craftcms/cms"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Craft CMS: Authorship spoofing in `entries/save-entry` via pre-check/post-mutation authorization gap"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.