Moderate severityNVD Advisory· Published Mar 24, 2026· Updated Mar 25, 2026
Craft CMS: Authorization bypass in "entries/move-to-section" allows control panel user to move entries without section permissions
CVE-2026-33162
Description
Craft CMS is a content management system (CMS). From version 5.3.0 to before version 5.9.14, an authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section. This issue has been patched in version 5.9.14.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.3.0, < 5.9.14 | 5.9.14 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-f582-6gf6-gx4gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33162ghsaADVISORY
- github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718eghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/5.9.14ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4gghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.