{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/authorship-spoofing/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"id":"CVE-2026-50279"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Craft CMS (5.0.0-RC1 to 5.9.20)"],"_cs_severities":["high"],"_cs_tags":["authorship-spoofing","authorization-bypass","web-application","craft-cms","cve"],"_cs_type":"advisory","_cs_vendors":["Craft CMS"],"content_html":"\u003cp\u003eCVE-2026-50279 details an authorization bypass vulnerability in Craft CMS versions prior to 5.9.21. Specifically, the \u003ccode\u003eEntriesController::actionSaveEntry()\u003c/code\u003e function performs crucial entry-edit permission checks \u003cem\u003ebefore\u003c/em\u003e any attacker-supplied author changes are applied to the entry model. Due to this pre-mutation authorization check, a low-privileged user who is authenticated, has permission to edit an entry, and is listed as one of its existing authors (or satisfies \u003ccode\u003ecanChangeAuthor()\u003c/code\u003e through peer entry permissions) can submit a request with crafted \u003ccode\u003eauthors\u003c/code\u003e or \u003ccode\u003eauthor\u003c/code\u003e parameters. The controller then fails to re-run authorization after the author list has been mutated, allowing the unauthorized change to persist. This vulnerability allows falsification of content ownership, corrupting audit trails, sending misleading notifications, and breaking approval workflows within the CMS.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged authenticated user crafts an HTTP POST request targeting the \u003ccode\u003e/entries/save-entry\u003c/code\u003e endpoint of a vulnerable Craft CMS instance.\u003c/li\u003e\n\u003cli\u003eThe request includes parameters (\u003ccode\u003eauthors\u003c/code\u003e or \u003ccode\u003eauthor\u003c/code\u003e) attempting to change the entry's author to a different user, for which the attacker does not hold explicit author-management permission.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eactionSaveEntry()\u003c/code\u003e function in \u003ccode\u003eEntriesController.php\u003c/code\u003e loads the target entry and performs initial edit permission checks based on the \u003cem\u003eoriginal\u003c/em\u003e entry state and the attacker's existing permissions (e.g., being an existing author of the entry).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_populateEntryModel()\u003c/code\u003e helper function then processes the request, updating the entry model's \u003ccode\u003eauthorIds\u003c/code\u003e attribute with the attacker-supplied values, critically \u003cem\u003ebefore\u003c/em\u003e authorization for this specific author change is re-evaluated.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecanChangeAuthor()\u003c/code\u003e method is invoked and returns \u003ccode\u003etrue\u003c/code\u003e because it evaluates against the old authorship state, where the current user is still considered one of the existing authors or meets other conditions like \u003ccode\u003eviewPeerEntries\u003c/code\u003e for the section.\u003c/li\u003e\n\u003cli\u003eThe entry's author list is internally mutated within the model with the new, unauthorized \u003ccode\u003eauthorIds\u003c/code\u003e provided by the attacker.\u003c/li\u003e\n\u003cli\u003eThe controller proceeds without re-running comprehensive authorization checks on the \u003cem\u003enew\u003c/em\u003e author assignment, assuming the initial check was sufficient.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003esaveElement()\u003c/code\u003e and \u003ccode\u003e_saveAuthors()\u003c/code\u003e methods persist the altered author relationship to the database, resulting in the entry now appearing authored by the user specified by the attacker, effectively spoofing content ownership and compromising data integrity.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-50279 allows low-privileged users to falsify content ownership and alter the authorship of entries without possessing the dedicated author-management permission. This leads to several critical impacts including corrupted audit trails, where the true historical author of content is obscured, misleading notifications being sent to incorrect users, broken approval workflows as content changes may bypass designated reviewers, and unauthorized reassignment of content responsibility. This can severely undermine trust in the CMS content and its operational processes.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-50279 immediately by updating all Craft CMS installations to version 5.9.21 or later.\u003c/li\u003e\n\u003cli\u003eReview application logs for the vulnerable \u003ccode\u003e/entries/save-entry\u003c/code\u003e (identified in IOCs) endpoint for unusual POST requests originating from low-privileged user accounts, especially those containing \u003ccode\u003eauthors\u003c/code\u003e or \u003ccode\u003eauthor\u003c/code\u003e parameters, and investigate any successful changes in content ownership.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T11:49:22Z","date_published":"2026-07-03T11:49:22Z","id":"https://feed.craftedsignal.io/briefs/2026-07-craft-cms-authorship-spoofing/","summary":"A low-privileged authenticated user can exploit CVE-2026-50279, an authorization bypass vulnerability in Craft CMS's `entries/save-entry` endpoint, to reassign an entry's authorship to another user without proper permissions, leading to corrupted audit trails and misleading content ownership.","title":"Craft CMS Authorship Spoofing via Authorization Bypass (CVE-2026-50279)","url":"https://feed.craftedsignal.io/briefs/2026-07-craft-cms-authorship-spoofing/"}],"language":"en","title":"CraftedSignal Threat Feed - Authorship-Spoofing","version":"https://jsonfeed.org/version/1.1"}