CVE-2026-25497HIGH 8.8EPSS p34.0%

CVE-2026-25497CVE-2026-25497

Description

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.0% · 2026-06-18T12:00:27Z
Published2026-02-09
Last modified2026-02-19

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409
  2. https://github.com/craftcms/cms/releases/tag/5.8.22
  3. https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32267
CVE
CVE-2025-54417
CVE
CVE-2025-68456
CVE
CVE-2026-28783
CVE
CVE-2026-28697
CVE
CVE-2026-25495
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.