{"id":"CVE-2026-50280","summary":"Craft CMS: Authorization bypass in `entries/move-to-section` via missing target-section save check","details":"Craft CMS is a content management system (CMS). In versions 5.0.0-RC1 and above prior to 5.9.21, the EntriesController::actionMoveToSection() endpoint gates the destination section only by viewEntries:$section-\u003euid rather than requiring saveEntries permission (the source entry is separately checked via Entry::canMove()). As a result, a low-privileged authenticated control-panel user who can move an entry out of its current section can call moveEntryToSection() to rewrite the entry's sectionId and save it into a section where they have read access but no write access. This breaks the section-level authorization model, letting a user with limited permissions inject content into a protected section and interfere with editorial boundaries, approval workflows, and section-specific business logic. This issue has been fixed in version 5.9.21.","aliases":["GHSA-43cq-c2gq-pfpw"],"modified":"2026-07-08T08:09:43.224244287Z","published":"2026-07-01T23:43:49.095Z","database_specific":{"cwe_ids":["CWE-284"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50280.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50280.json"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/security/advisories/GHSA-43cq-c2gq-pfpw"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50280"},{"type":"FIX","url":"https://github.com/craftcms/cms/commit/0a6b916f6367b0162b2eaf2366add67b45fa98ea"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"04755d93f86d07cc183db47db8a0eee106892e30"},{"fixed":"0a6b916f6367b0162b2eaf2366add67b45fa98ea"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"5.0.0-RC1"},{"fixed":"5.9.21"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50280.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N"}]}