<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Craft CMS (5.0.0-RC1 to 5.9.20) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/craft-cms-5.0.0-rc1-to-5.9.20/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 11:49:22 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/craft-cms-5.0.0-rc1-to-5.9.20/feed.xml" rel="self" type="application/rss+xml"/><item><title>Craft CMS Authorship Spoofing via Authorization Bypass (CVE-2026-50279)</title><link>https://feed.craftedsignal.io/briefs/2026-07-craft-cms-authorship-spoofing/</link><pubDate>Fri, 03 Jul 2026 11:49:22 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-craft-cms-authorship-spoofing/</guid><description>A low-privileged authenticated user can exploit CVE-2026-50279, an authorization bypass vulnerability in Craft CMS's `entries/save-entry` endpoint, to reassign an entry's authorship to another user without proper permissions, leading to corrupted audit trails and misleading content ownership.</description><content:encoded><![CDATA[<p>CVE-2026-50279 details an authorization bypass vulnerability in Craft CMS versions prior to 5.9.21. Specifically, the <code>EntriesController::actionSaveEntry()</code> function performs crucial entry-edit permission checks <em>before</em> any attacker-supplied author changes are applied to the entry model. Due to this pre-mutation authorization check, a low-privileged user who is authenticated, has permission to edit an entry, and is listed as one of its existing authors (or satisfies <code>canChangeAuthor()</code> through peer entry permissions) can submit a request with crafted <code>authors</code> or <code>author</code> parameters. The controller then fails to re-run authorization after the author list has been mutated, allowing the unauthorized change to persist. This vulnerability allows falsification of content ownership, corrupting audit trails, sending misleading notifications, and breaking approval workflows within the CMS.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A low-privileged authenticated user crafts an HTTP POST request targeting the <code>/entries/save-entry</code> endpoint of a vulnerable Craft CMS instance.</li>
<li>The request includes parameters (<code>authors</code> or <code>author</code>) attempting to change the entry's author to a different user, for which the attacker does not hold explicit author-management permission.</li>
<li>The <code>actionSaveEntry()</code> function in <code>EntriesController.php</code> loads the target entry and performs initial edit permission checks based on the <em>original</em> entry state and the attacker's existing permissions (e.g., being an existing author of the entry).</li>
<li>The <code>_populateEntryModel()</code> helper function then processes the request, updating the entry model's <code>authorIds</code> attribute with the attacker-supplied values, critically <em>before</em> authorization for this specific author change is re-evaluated.</li>
<li>The <code>canChangeAuthor()</code> method is invoked and returns <code>true</code> because it evaluates against the old authorship state, where the current user is still considered one of the existing authors or meets other conditions like <code>viewPeerEntries</code> for the section.</li>
<li>The entry's author list is internally mutated within the model with the new, unauthorized <code>authorIds</code> provided by the attacker.</li>
<li>The controller proceeds without re-running comprehensive authorization checks on the <em>new</em> author assignment, assuming the initial check was sufficient.</li>
<li>The <code>saveElement()</code> and <code>_saveAuthors()</code> methods persist the altered author relationship to the database, resulting in the entry now appearing authored by the user specified by the attacker, effectively spoofing content ownership and compromising data integrity.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-50279 allows low-privileged users to falsify content ownership and alter the authorship of entries without possessing the dedicated author-management permission. This leads to several critical impacts including corrupted audit trails, where the true historical author of content is obscured, misleading notifications being sent to incorrect users, broken approval workflows as content changes may bypass designated reviewers, and unauthorized reassignment of content responsibility. This can severely undermine trust in the CMS content and its operational processes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-50279 immediately by updating all Craft CMS installations to version 5.9.21 or later.</li>
<li>Review application logs for the vulnerable <code>/entries/save-entry</code> (identified in IOCs) endpoint for unusual POST requests originating from low-privileged user accounts, especially those containing <code>authors</code> or <code>author</code> parameters, and investigate any successful changes in content ownership.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authorship-spoofing</category><category>authorization-bypass</category><category>web-application</category><category>craft-cms</category><category>cve</category></item></channel></rss>