DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25497: Craft CMS: The Old GraphQL Switcheroo

#security #cve #cybersecurity

Craft CMS: The Old GraphQL Switcheroo

Vulnerability ID: CVE-2026-25497
CVSS Score: 8.6
Published: 2026-02-09

A high-severity privilege escalation vulnerability in Craft CMS allows authenticated users with write access to any asset volume to manipulate assets in volumes they shouldn't be able to touch. By exploiting a logic flaw in the GraphQL saveAsset mutation, attackers can bypass authorization checks and modify, move, or delete restricted files.

TL;DR

Classic IDOR/Logic flaw. The system checks if you have permission for Volume A, but lets you modify an Asset from Volume B. If you can upload files anywhere, you can mess with files everywhere. Fixed in 5.8.22.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639
  • Attack Vector: Network (GraphQL)
  • CVSS Score: 8.6 (High)
  • Impact: Privilege Escalation / Data Manipulation
  • Prerequisites: Authenticated user with write access to at least one volume
  • KEV Status: Not Listed

Affected Systems

  • Craft CMS 4.x (prior to 4.17.0-beta.1)
  • Craft CMS 5.x (prior to 5.8.22)
  • Craft CMS: >= 4.0.0-RC1, < 4.17.0-beta.1 (Fixed in: 4.17.0-beta.1)
  • Craft CMS: >= 5.0.0-RC1, < 5.8.22 (Fixed in: 5.8.22)

Code Analysis

Commit: ac7edf8

Enforce volume permission check on the actual asset volume, not just the requested volume.

@@ -75,6 +75,10 @@ public function saveAsset(mixed $source, array $arguments, mixed $context, Resol
             if (!$asset) {
                 throw new Error('No such asset exists');
             }
+
+            if ($asset->volumeId !== $volume->id) {
+                $this->requireSchemaAction('volumes.' . $asset->getVolume()->uid, 'save');
+            }
         } else {
             $this->requireSchemaAction('volumes.' . $volume->uid, 'create');
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Hypothetical: Exploitation requires crafting a GraphQL mutation with mismatched volumeId and assetId arguments.

Mitigation Strategies

  • Update Craft CMS immediately.
  • Audit GraphQL schema permissions.
  • Restrict 'save' actions on volumes to trusted admins only until patched.

Remediation Steps:

  1. Check your composer.json file for craftcms/cms.
  2. Run composer update craftcms/cms to pull the latest version.
  3. Verify the installed version is >= 5.8.22 or >= 4.17.0-beta.1.
  4. Review audit logs for unexplained asset movements or title changes.

References

Read the full report for CVE-2026-25497 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)