Craft CMS
Moderate fix2 remedies
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 5.0.0-RC1, < 5.9.0-beta.1
- >= 4.0.0-RC1, < 4.17.0-beta.1
Craft CMS Privilege Escalation Vulnerability in GraphQL API
Vulnerability
Patched
A privilege escalation vulnerability has been identified in Craft CMS versions 4.0.0-RC1 prior to 4.17.0-beta.1 and 5.9.0-beta.1. This vulnerability exists within the GraphQL API, allowing an authenticated user with write access to one asset volume to escalate privileges and modify or transfer assets from any other volume, including restricted or private ones. The issue arises because the saveAsset GraphQL mutation checks authorization based on the volume but does not verify that the asset belongs to the authorized volume, enabling unauthorized cross-volume asset modifications and transfers.
Impact
Exploitation of this vulnerability could lead to unauthorized access and modification of assets across different volumes, bypassing restrictions and potentially transferring confidential assets from private to public volumes.
Remediation
Users can upgrade to Craft CMS versions 4.17.0-beta.1 or 5.9.0-beta.1 to address this vulnerability.
Added: Feb 9, 2026, 8:22 PM
Updated: Feb 9, 2026, 10:22 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
6.1remediation
7.7relevance
2.6threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.