Craft has a GraphQL Asset Mutation Privilege Escalation
Description
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS GraphQL API privilege escalation allows authenticated users with volume write access to modify any volume's assets due to missing ownership check.
Vulnerability
Craft CMS versions 4.0.0-RC1 to pre-4.17.0-beta.1 and 5.9.0-beta.1 contain a privilege escalation vulnerability in the GraphQL API [2]. The saveAsset mutation validates authorization against the volume resolved from the schema, but fetches the target asset by ID without confirming it belongs to that volume. This allows a user with write access to one asset volume to modify or transfer assets belonging to any other volume [2].
Exploitation
An authenticated user with write permissions on at least one asset volume can exploit this by sending a GraphQL mutation with an asset ID from a different volume. The server authorizes based on the schema volume but does not cross-check the asset's actual volume, enabling unauthorized cross-volume operations [2].
Impact
Successful exploitation allows an attacker to modify or transfer assets in restricted or private volumes, bypassing intended access controls. This can lead to unauthorized data modification or exfiltration, compromising data integrity and confidentiality [2].
Mitigation
The vulnerability is fixed in Craft CMS 4.17.0-beta.1 and 5.9.0-beta.1 [1][3]. Users are advised to update to these or later versions. No workaround has been publicly disclosed.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.9.0-beta.1 | 5.9.0-beta.1 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.17.0-beta.1 | 4.17.0-beta.1 |
Affected products
2Patches
12 files changed · +5 −0
CHANGELOG.md+1 −0 modified@@ -9,6 +9,7 @@ - Fixed SSRF vulnerabilities. (GHSA-96pq-hxpw-rgh8, GHSA-m5r2-8p9x-hp5m, GHSA-8jr8-7hr4-vhfx) - Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj) - Fixed an XSS vulnerability. (GHSA-9f5h-mmq6-2x78) +- Fixed a permission escalation vulnerability. (GHSA-fxp3-g6gw-4r4v) ## 4.16.17 - 2025-12-0421
src/gql/resolvers/mutations/Asset.php+4 −0 modified@@ -75,6 +75,10 @@ public function saveAsset(mixed $source, array $arguments, mixed $context, Resol if (!$asset) { throw new Error('No such asset exists'); } + + if ($asset->volumeId !== $volume->id) { + $this->requireSchemaAction('volumes.' . $asset->getVolume()->uid, 'save'); + } } else { $this->requireSchemaAction('volumes.' . $volume->uid, 'create');
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-fxp3-g6gw-4r4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25497ghsaADVISORY
- github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/4.17.0-beta.1ghsaWEB
- github.com/craftcms/cms/releases/tag/5.8.22ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/5.9.0-beta.1ghsaWEB
- github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4vghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.