CVE-2026-28782

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.9.0-beta.1 Craft versions prior to 4.17.0-beta.1

Description Craft is a content management system (CMS). A flaw exists where the "Duplicate" entry action does not properly verify user permissions for specific target elements. Even with limited "View Entries" permission, a user can bypass UI restrictions by sending a direct request. This allows duplication of other users' entries by specifying their Entry IDs. Because Entry IDs are incremental, an attacker can potentially brute-force these IDs to duplicate and access restricted content. The vulnerability is exploitable via a direct request to the ''/index.php?p=admin%2Factions%2Felement-indexes%2Fperform-action'' API endpoint, utilizing the elementIds parameter. The request requires a valid CSRF token and cookie.

Recommendations Versions prior to 5.9.0-beta.1 should be updated to 5.9.0-beta.1 or later. Versions prior to 4.17.0-beta.1 should be updated to 4.17.0-beta.1 or later.