CVE-2026-41128

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.6.0 through 5.9.14

Description The 'actionSavePermissions()' endpoint allows a user possessing only viewUsers permission to remove arbitrary users from all user groups. This occurs because the saveUserGroups() function enforces authorization for adding users to groups but fails to perform an equivalent check for removals. Consequently, submitting an empty groups value results in the removal of all existing group memberships.

Recommendations Update to version 5.9.15.