VYPR
Get started
← All advisories
Medium severityNVD Advisory· Published Apr 22, 2026· Updated Apr 22, 2026

CVE-2026-41128

CVE-2026-41128

Description

Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the actionSavePermissions() endpoint allows a user with only viewUsers permission to remove arbitrary users from all user groups. While _saveUserGroups() enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty groups value removes all existing group memberships. Version 5.9.15 contains a patch.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
craftcms/cmsPackagist
>= 5.6.0, < 5.9.155.9.15

Affected products

1

Patches

1
b135384808ad

Fixed GHSA-jq2f-59pj-p3m3

https://github.com/craftcms/cmsbrandonkellyMar 9, 2026via ghsa
commit
2 files changed · +9 0
  • CHANGELOG.md+1 0 modified
    @@ -18,6 +18,7 @@
 - Fixed a bug where cross-site validation errors weren’t preventing elements from getting saved. ([#18292](https://github.com/craftcms/cms/issues/18292))
 - Fixed a bug where failure messages when pasting elements weren’t getting displayed properly.
 - Fixed a bug where `craft\helpers\UrlHelper::cpReferralUrl()` was returning the referrer URL even if it had the same URI as the current page. ([#18483](https://github.com/craftcms/cms/pull/18483))
+- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) authorization bypass vulnerability. (GHSA-jq2f-59pj-p3m3)
 
 ## 5.9.14 - 2026-02-25
  • src/controllers/UsersController.php+8 0 modified
    @@ -1261,6 +1261,10 @@ public function actionSavePermissions(): Response
     {
         $this->requireCpRequest();
 
+        if (!$this->showPermissionsScreen()) {
+            throw new ForbiddenHttpException('User not authorized to perform this action.');
+        }
+
         $currentUser = static::currentUser();
         $user = $this->editedUser((int)$this->request->getRequiredBodyParam('userId'));
 
@@ -2784,6 +2788,10 @@ private function _saveUserPermissions(User $user, User $currentUser): void
      */
     private function _saveUserGroups(User $user, User $currentUser): void
     {
+        if (!$currentUser->canAssignUserGroups()) {
+            return;
+        }
+
         $groupIds = $this->request->getBodyParam('groups');
 
         if ($groupIds === null) {

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.