CVE-2026-25497

Name of the Vulnerable Software and Affected Versions Craft versions 4.0.0-RC1 through 4.17.0-beta.1 Craft version 5.9.0-beta.1

Description Craft is a platform for creating digital experiences. A privilege escalation issue exists in the GraphQL API. An authenticated user with write access to one asset volume can escalate their privileges and modify or transfer assets belonging to any other volume, including restricted or private volumes. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume, enabling unauthorized cross-volume asset modification and transfer.

Recommendations Update to Craft version 4.17.0-beta.1 or later. Update to Craft version 5.9.0-beta.1 or later.