CVE-2026-28781

Name of the Vulnerable Software and Affected Versions Craft versions prior to 4.17.0-beta.1 Craft versions prior to 5.9.0-beta.1

Description The entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds[] or authorId parameter into the POST request. The backend processes this parameter without verifying if the current user is authorized to assign authorship to others. Normally, this field is not present in the request for users without the necessary permissions. By manually adding this parameter, an attacker can attribute the new entry to any user, effectively "spoofing" the authorship. This could allow an attacker to post malicious or inappropriate content attributed to an administrator or other trusted users, potentially bypassing review processes or gaining trust based on false authorship.

Recommendations Versions prior to 4.17.0-beta.1 should be updated to 4.17.0-beta.1 or later. Versions prior to 5.9.0-beta.1 should be updated to 5.9.0-beta.1 or later.