<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Craft CMS (&gt;= 5.7.0, &lt; 5.9.21) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/craft-cms--5.7.0--5.9.21/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:31:44 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/craft-cms--5.7.0--5.9.21/feed.xml" rel="self" type="application/rss+xml"/><item><title>Craft CMS Mass Assignment Vulnerability Allows Element Overwrites (CVE-2026-50281)</title><link>https://feed.craftedsignal.io/briefs/2026-07-craft-cms-mass-assignment/</link><pubDate>Fri, 03 Jul 2026 11:31:44 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-craft-cms-mass-assignment/</guid><description>A high-severity mass assignment vulnerability (CVE-2026-50281) in Craft CMS versions prior to 5.9.21 allows a low-privileged authenticated attacker to overwrite arbitrary existing element data, such as entries or user profiles, by manipulating the `newAttributes` parameter during a bulk duplication action.</description><content:encoded><![CDATA[<p>A critical mass assignment flaw (CVE-2026-50281) has been identified in Craft CMS versions 5.7.0 through 5.9.20, enabling low-privileged authenticated users to corrupt content integrity across the entire installation. This vulnerability, disclosed on July 2, 2026, stems from insufficient input validation within the <code>actionBulkDuplicate()</code> function. An attacker with basic entry duplication permissions can craft a request that includes a target element's <code>id</code> within the <code>newAttributes</code> parameter. This malicious <code>id</code> bypasses the system's intended <code>id = null</code> reset during the duplication process, leading the application to overwrite an existing element's data in the database instead of creating a new one. This flaw allows unauthorized modification of any element an attacker can predict or enumerate, significantly impacting data integrity.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An authenticated attacker, possessing only the permission to duplicate an entry they own, logs into the Craft CMS administrative interface.</li>
<li>The attacker crafts a malicious HTTP POST request to the <code>actionBulkDuplicate</code> endpoint (e.g., <code>/admin/actions/elements/bulk-duplicate</code>).</li>
<li>This request includes two required parameters: <code>elements</code> (identifying an entry the attacker owns) and <code>newAttributes</code>.</li>
<li>Within the <code>newAttributes</code> parameter, the attacker injects a <code>id</code> field containing the numeric primary key of an existing target element owned by another user or administrative account.</li>
<li>The <code>ElementsController::actionBulkDuplicate</code> method processes this request, passing the <code>newAttributes</code> parameter to the service layer without performing an explicit <code>id</code> validation check for nested attributes.</li>
<li><code>Elements::duplicateElement</code> attempts to clone the source element and explicitly sets the new element's <code>id</code> to <code>null</code> in preparation for a new database record.</li>
<li>Immediately afterward, <code>Craft::configure</code> applies the attacker-provided <code>newAttributes</code> array to the cloned element. Due to <code>id</code> being present in <code>safeAttributes()</code>, the attacker's <code>id</code> value overwrites the <code>id=null</code> value.</li>
<li>The underlying database save operation (via Yii's <code>saveElement()</code>) then performs an <code>UPDATE</code> on the database row identified by the attacker-controlled <code>id</code>, effectively overwriting the target element's data with the attacker's supplied content.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-50281 allows a low-privileged authenticated user to overwrite the data of any existing elements within the Craft CMS installation. This includes entries, categories, and even user accounts that share the <code>Entry</code> element table inheritance. The primary impact is a complete loss of content integrity, as an attacker can arbitrarily modify or deface content owned by other users or even administrative content. This can lead to misinformation, reputational damage, and potentially further compromise if critical information in other elements is overwritten. The attack requires only the ability to duplicate an existing entry.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-50281 immediately by upgrading Craft CMS to version 5.9.21 or later.</li>
<li>Review access control configurations for all users to ensure the principle of least privilege is applied, especially regarding content creation and duplication permissions.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-application</category><category>vulnerability</category><category>mass-assignment</category><category>cve</category><category>cms</category></item></channel></rss>