DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33162: CVE-2026-33162: Authorization Bypass in Craft CMS Entry Relocation

#security #cve #cybersecurity

CVE-2026-33162: Authorization Bypass in Craft CMS Entry Relocation

Vulnerability ID: CVE-2026-33162
CVSS Score: 4.9
Published: 2026-03-24

Craft CMS versions 5.3.0 to 5.9.13 and 4.x prior to 4.17.8 contain a Missing Authorization vulnerability (CWE-862) within the Control Panel. Authenticated users with baseline administrative access can bypass intended UI restrictions to arbitrarily relocate content entries between sections without possessing the required section-specific permissions.

TL;DR

An authorization bypass in Craft CMS allows authenticated users with standard Control Panel access to relocate content entries across sections without proper validation. The vulnerability is patched in versions 5.9.14 and 4.17.8 by implementing explicit server-side authorization checks.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-862
  • Attack Vector: Network
  • CVSS v4.0: 4.9
  • Impact: High Integrity Loss
  • Exploit Status: Proof of Concept
  • CISA KEV: Not Listed

Affected Systems

  • Craft CMS 5.x
  • Craft CMS 4.x
  • Craft CMS: >= 5.3.0, < 5.9.14 (Fixed in: 5.9.14)
  • Craft CMS: >= 4.0.0, < 4.17.8 (Fixed in: 4.17.8)

Code Analysis

Commit: 3c1ab1c

Fix Missing Authorization in EntriesController actionMoveToSection

Mitigation Strategies

  • Upgrade Craft CMS to a patched version immediately.
  • Audit and restrict users granted the accessCp permission.
  • Monitor application logs for anomalous POST requests to the vulnerable endpoint.

Remediation Steps:

  1. Verify current Craft CMS version using the Control Panel or console commands.
  2. Backup the database and application files prior to executing the update.
  3. Update to Craft CMS 5.9.14 or 4.17.8 via Composer.
  4. Review the Craft CMS audit logs to identify any historical unauthorized entry relocations.
  5. Adjust user roles to revoke Control Panel access from non-essential staff.

References

Read the full report for CVE-2026-33162 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)