CVE-2026-25497

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409	Patch
https://github.com/craftcms/cms/releases/tag/5.8.22	Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2::::::
	cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

19 Feb 2026, 19:16

Type	Values Removed	Values Added
First Time		Craftcms Craftcms craft Cms
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
Summary		(es) Craft es una plataforma para crear experiencias digitales. En las versiones de Craft desde la 4.0.0-RC1 hasta antes de la 4.17.0-beta.1 y la 5.9.0-beta.1, existe una vulnerabilidad de escalada de privilegios en la API GraphQL de Craft CMS que permite a un usuario autenticado con acceso de escritura a un volumen de activos escalar sus privilegios y modificar/transferir activos pertenecientes a cualquier otro volumen, incluidos volúmenes restringidos o privados a los que no deberían tener acceso. La mutación GraphQL saveAsset valida la autorización contra el volumen resuelto por el esquema, pero recupera el activo objetivo por ID sin verificar que el activo pertenezca al volumen autorizado. Esto permite la modificación y transferencia no autorizada de activos entre volúmenes. Esta vulnerabilidad está corregida en las versiones 4.17.0-beta.1 y 5.9.0-beta.1.
References	~~() https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409 -~~	() https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409 - Patch
References	~~() https://github.com/craftcms/cms/releases/tag/5.8.22 -~~	() https://github.com/craftcms/cms/releases/tag/5.8.22 - Release Notes
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v - Vendor Advisory, Patch
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1::::::

09 Feb 2026, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:16

NVD link : CVE-2026-25497

Mitre link : CVE-2026-25497

CVE.ORG link : CVE-2026-25497

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

8.8 /10