CVE-2026-25497

EUVD-2026-6846

09.02.2026, 20:15

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
craftcms	craft_cms	4.0.0 < 𝑥 < 4.17.0
craftcms	craft_cms	5.0.0 < 𝑥 < 5.9.0
craftcms	craft_cms	4.0.0
craftcms	craft_cms	4.0.0:rc1
craftcms	craft_cms	4.0.0:rc2
craftcms	craft_cms	4.0.0:rc3
craftcms	craft_cms	5.0.0
craftcms	craft_cms	5.0.0:rc1

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-639 - Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References

https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409

https://github.com/craftcms/cms/releases/tag/5.8.22

https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v