CVE-2026-33162 in Craft
Summary
by MITRE • 03/24/2026
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2026-33162 affects Craft CMS versions between 5.3.0 and 5.9.13, representing a critical authorization bypass flaw that undermines the system's permission model. This issue specifically targets the control panel user access mechanism where users with minimal privileges can exploit a POST endpoint to manipulate content entries across different sections within the CMS. The flaw resides in the insufficient validation of user permissions during the entry movement operation, allowing unauthorized privilege escalation through a carefully crafted API request.
The technical implementation of this vulnerability stems from improper access control validation within the /actions/entries/move-to-section endpoint. When an authenticated user with only accessCp permission attempts to move an entry between sections, the system fails to verify whether the user possesses the necessary saveEntries:{sectionUid} permission for both the source and destination sections. This represents a classic violation of the principle of least privilege and directly contravenes the security principle that users should only be able to perform actions for which they have explicit authorization. The flaw is categorized under CWE-285: Improper Authorization, which specifically addresses situations where the system fails to properly enforce access controls for operations requiring elevated privileges.
From an operational perspective, this vulnerability presents a significant risk to content management systems that rely on role-based access controls to protect sensitive information and maintain content integrity. An attacker with access to a low-privilege control panel account could potentially move entries between sections, potentially bypassing content restrictions, accessing restricted sections, or even moving content to areas where they have no legitimate access. This could result in unauthorized content exposure, data leakage, or the ability to manipulate content in ways that should be restricted to higher-privilege users. The impact extends beyond simple information disclosure to include potential content tampering and disruption of content management workflows.
The exploitation of this vulnerability requires an authenticated user with accessCp permission but without the appropriate saveEntries permissions for the sections involved in the move operation. This makes the attack vector particularly concerning as it can be executed by users who should normally have limited access to the CMS control panel. The attack chain involves first authenticating to the system with a low-privilege account, then leveraging the move-to-section endpoint to transfer content between sections where they lack direct permissions. This type of attack pattern aligns with ATT&CK technique T1078.004: Valid Accounts, where adversaries use legitimate credentials to access systems and then exploit weaknesses in permission controls to escalate their capabilities.
Organizations utilizing Craft CMS should immediately implement the patched version 5.9.14 to remediate this vulnerability. The fix addresses the core authorization bypass by ensuring proper validation of user permissions for both source and destination sections before allowing entry movement operations. Additional mitigations should include monitoring for unusual entry movement patterns, implementing network segmentation to limit access to the control panel, and conducting regular permission audits to ensure that access controls are properly configured. Security teams should also consider implementing automated scanning tools that can detect unauthorized attempts to move entries between sections as part of their ongoing monitoring strategy. The vulnerability demonstrates the importance of maintaining strict access control boundaries within CMS platforms and highlights the necessity of thorough permission validation for all operations, particularly those involving content manipulation and movement across different sections or channels within the system.