Submit #850792: Craftcms CMS 5.10.1 Authorization Bypassinfo

TitleCraftcms CMS 5.10.1 Authorization Bypass
DescriptionMissing Authorization Check Allows Non-Admin CP Users to Reorder Global Sets The `reorder-sets` action in Craft CMS's `GlobalsController` is missing the `requireAdmin()` check that the adjacent `save-set` and `delete-set` actions both enforce. Any authenticated CP user can POST to `/actions/globals/reorder-sets` and permanently reorder all global sets in the project config, regardless of whether they have admin access. The reordering is written through to the project config and persists across requests. ### Details `GlobalsController` exposes three administrative actions for managing global set structure. Two of them gate on admin status; the third does not: ```php // vendor/craftcms/cms/src/controllers/GlobalsController.php public function actionSaveSet(): ?Response { $this->requirePostRequest(); $this->requireAdmin(); // enforced // ... } public function actionReorderSets(): Response { $this->requirePostRequest(); $this->requireAcceptsJson(); // requireAdmin() is absent $setIds = Json::decode($this->request->getRequiredBodyParam('ids')); Craft::$app->getGlobals()->reorderSets($setIds); return $this->asSuccess(); } public function actionDeleteSet(): Response { $this->requirePostRequest(); $this->requireAcceptsJson(); $this->requireAdmin(); // enforced // ... } ``` `reorderSets` writes the new order into the project config via `$projectConfig->set()`: ```php // vendor/craftcms/cms/src/services/Globals.php public function reorderSets(array $setIds): bool { $projectConfig = Craft::$app->getProjectConfig(); $uidsByIds = []; foreach ($setIds as $setId) { $uidsByIds[$setId] = Db::uidById(Table::GLOBALSETS, $setId); } foreach ($uidsByIds as $setId => $uid) { $sortOrder = array_search($setId, $setIds) + 1; $projectConfig->set(ProjectConfig::PATH_GLOBAL_SETS . '.' . $uid . '.sortOrder', $sortOrder); } return true; } ``` The project config change is applied immediately and persisted. Because any authenticated CP user satisfies `requirePostRequest()` and `requireAcceptsJson()`, the effective access control for this action is only "has a CP session."
Source⚠️ https://github.com/craftcms/cms/commit/9bd05c91e6a7e6da5e949ec41a31c220c059aa04
User
 geochen (UID 78995)
Submission06/07/2026 05:24 (29 days ago)
Moderation07/05/2026 20:26 (29 days later)
StatusAccepted
VulDB entry376387 [Craft CMS up to 4.18.0.1 reorder-sets Endpoint GlobalsController.php actionReorderSets authorization]
Points20

Do you want to use VulDB in your project?

Use the official API to access entries easily!