CVE-2026-14793 in Craft
Summary
by MITRE • 07/06/2026
A vulnerability was detected in Craft CMS up to 4.18.0.1. Affected is the function actionReorderSets of the file src/controllers/GlobalsController.php of the component reorder-sets Endpoint. The manipulation results in authorization bypass. The attack can be executed remotely. Upgrading to version 4.18.1 is able to address this issue. The patch is identified as 9bd05c91e6a7e6da5e949ec41a31c220c059aa04. The affected component should be upgraded.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/06/2026
This vulnerability in Craft CMS represents a critical authorization bypass flaw that affects the global reordering functionality within the administration interface. The issue resides in the actionReorderSets function located in src/controllers/GlobalsController.php, specifically within the reorder-sets endpoint of the globals controller component. The vulnerability allows unauthorized users to manipulate the ordering of global sets without proper authentication or authorization checks, effectively enabling privilege escalation through a remote attack vector.
The technical exploitation of this flaw occurs when an attacker can submit crafted requests to the reorder-sets endpoint that bypasses standard access controls. This type of vulnerability falls under CWE-285 which specifically addresses improper authorization issues in software systems. The vulnerability is particularly dangerous because it operates entirely through HTTP requests without requiring any local system access, making it highly accessible to remote attackers who may have gained initial access through other means.
The operational impact of this vulnerability extends beyond simple privilege escalation as it allows attackers to potentially reorganize or rearrange global content sets in ways that could disrupt content management workflows. An attacker with minimal privileges could theoretically reorder global sets to obscure important content, create confusion in the administration interface, or potentially manipulate content relationships that might affect site functionality. The remote execution capability means that this vulnerability can be exploited from any location without requiring physical access to the server infrastructure.
Security practitioners should note that this vulnerability is specifically addressed through upgrading to Craft CMS version 4.18.1, with the patch identified by commit hash 9bd05c91e6a7e6da5e949ec41a31c220c059aa04. The remediation process requires immediate attention as this authorization bypass could enable attackers to gain elevated privileges within the CMS environment, potentially leading to full administrative control over content management systems. Organizations should implement comprehensive patch management procedures to ensure all instances of Craft CMS are updated and verify that the specific fix has been properly applied to eliminate this remote exploitation vector.
This vulnerability demonstrates the importance of proper input validation and authorization checks in web application frameworks, particularly in content management systems where administrative functions handle sensitive data operations. The attack pattern aligns with ATT&CK technique T1078 which covers valid accounts usage, as unauthorized users can leverage this flaw to perform actions they should not normally be permitted to execute within the CMS environment. Security teams should monitor for any anomalous activity related to global set reordering operations and maintain awareness of similar authorization bypass vulnerabilities in other web frameworks that might present comparable attack surfaces.