{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/craft-cms--5.7.0--5.9.21/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-50281"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft CMS (\u003e= 5.7.0, \u003c 5.9.21)"],"_cs_severities":["high"],"_cs_tags":["web-application","vulnerability","mass-assignment","cve","cms"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eA critical mass assignment flaw (CVE-2026-50281) has been identified in Craft CMS versions 5.7.0 through 5.9.20, enabling low-privileged authenticated users to corrupt content integrity across the entire installation. This vulnerability, disclosed on July 2, 2026, stems from insufficient input validation within the \u003ccode\u003eactionBulkDuplicate()\u003c/code\u003e function. An attacker with basic entry duplication permissions can craft a request that includes a target element's \u003ccode\u003eid\u003c/code\u003e within the \u003ccode\u003enewAttributes\u003c/code\u003e parameter. This malicious \u003ccode\u003eid\u003c/code\u003e bypasses the system's intended \u003ccode\u003eid = null\u003c/code\u003e reset during the duplication process, leading the application to overwrite an existing element's data in the database instead of creating a new one. This flaw allows unauthorized modification of any element an attacker can predict or enumerate, significantly impacting data integrity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn authenticated attacker, possessing only the permission to duplicate an entry they own, logs into the Craft CMS administrative interface.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP POST request to the \u003ccode\u003eactionBulkDuplicate\u003c/code\u003e endpoint (e.g., \u003ccode\u003e/admin/actions/elements/bulk-duplicate\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThis request includes two required parameters: \u003ccode\u003eelements\u003c/code\u003e (identifying an entry the attacker owns) and \u003ccode\u003enewAttributes\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the \u003ccode\u003enewAttributes\u003c/code\u003e parameter, the attacker injects a \u003ccode\u003eid\u003c/code\u003e field containing the numeric primary key of an existing target element owned by another user or administrative account.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eElementsController::actionBulkDuplicate\u003c/code\u003e method processes this request, passing the \u003ccode\u003enewAttributes\u003c/code\u003e parameter to the service layer without performing an explicit \u003ccode\u003eid\u003c/code\u003e validation check for nested attributes.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eElements::duplicateElement\u003c/code\u003e attempts to clone the source element and explicitly sets the new element's \u003ccode\u003eid\u003c/code\u003e to \u003ccode\u003enull\u003c/code\u003e in preparation for a new database record.\u003c/li\u003e\n\u003cli\u003eImmediately afterward, \u003ccode\u003eCraft::configure\u003c/code\u003e applies the attacker-provided \u003ccode\u003enewAttributes\u003c/code\u003e array to the cloned element. Due to \u003ccode\u003eid\u003c/code\u003e being present in \u003ccode\u003esafeAttributes()\u003c/code\u003e, the attacker's \u003ccode\u003eid\u003c/code\u003e value overwrites the \u003ccode\u003eid=null\u003c/code\u003e value.\u003c/li\u003e\n\u003cli\u003eThe underlying database save operation (via Yii's \u003ccode\u003esaveElement()\u003c/code\u003e) then performs an \u003ccode\u003eUPDATE\u003c/code\u003e on the database row identified by the attacker-controlled \u003ccode\u003eid\u003c/code\u003e, effectively overwriting the target element's data with the attacker's supplied content.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-50281 allows a low-privileged authenticated user to overwrite the data of any existing elements within the Craft CMS installation. This includes entries, categories, and even user accounts that share the \u003ccode\u003eEntry\u003c/code\u003e element table inheritance. The primary impact is a complete loss of content integrity, as an attacker can arbitrarily modify or deface content owned by other users or even administrative content. This can lead to misinformation, reputational damage, and potentially further compromise if critical information in other elements is overwritten. The attack requires only the ability to duplicate an existing entry.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50281 immediately by upgrading Craft CMS to version 5.9.21 or later.\u003c/li\u003e\n\u003cli\u003eReview access control configurations for all users to ensure the principle of least privilege is applied, especially regarding content creation and duplication permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:31:44Z","date_published":"2026-07-03T11:31:44Z","id":"https://feed.craftedsignal.io/briefs/2026-07-craft-cms-mass-assignment/","summary":"A high-severity mass assignment vulnerability (CVE-2026-50281) in Craft CMS versions prior to 5.9.21 allows a low-privileged authenticated attacker to overwrite arbitrary existing element data, such as entries or user profiles, by manipulating the `newAttributes` parameter during a bulk duplication action.","title":"Craft CMS Mass Assignment Vulnerability Allows Element Overwrites (CVE-2026-50281)","url":"https://feed.craftedsignal.io/briefs/2026-07-craft-cms-mass-assignment/"}],"language":"en","title":"CraftedSignal Threat Feed - Craft CMS (\u003e= 5.7.0, \u003c 5.9.21)","version":"https://jsonfeed.org/version/1.1"}