Vulnerabilities ›

CVE-2026-25497

High

CWE-639 — Weakness Type

                    Published: Feb 9, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

🤖 AI Executive Summary

CVE-2026-25497 is a privilege escalation vulnerability in Craft CMS affecting versions 4.0.0-RC1 through 4.16.x and 5.0.0-RC1 through 5.8.x. An authenticated user with write access to one asset volume can exploit improper authorization checks in the GraphQL API's saveAsset mutation to modify or transfer assets from any other volume, including restricted or private volumes. This allows unauthorized cross-volume asset access and manipulation with high impact on data confidentiality and integrity.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 22, 2026 20:50

🇸🇦 Saudi Arabia Impact Assessment

Saudi organizations using Craft CMS for digital asset management, particularly in media, publishing, government digital services, and e-commerce sectors, face significant risk. Government agencies (NCA, CITC) managing digital content repositories, Saudi media companies, and financial institutions using Craft for customer-facing digital experiences are most vulnerable. The vulnerability enables unauthorized access to sensitive digital assets, confidential documents, and restricted media content, potentially violating SAMA data protection requirements and NCA cybersecurity standards.

🏢 Affected Saudi Sectors

Government & Public Administration Banking & Financial Services Media & Publishing E-Commerce & Retail Healthcare Telecommunications Energy & Utilities

🎯 MITRE ATT&CK Techniques

T1548 - Abuse Elevation Control Mechanism T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control T1078 - Valid Accounts T1078.001 - Valid Accounts: Default Accounts T1526 - Reconnaissance: Gather Victim Identity Information T1087 - Account Discovery T1530 - Data from Cloud Storage

⚖️ Saudi Risk Score (AI)

8.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all Craft CMS instances in your environment and document their versions

2. Restrict GraphQL API access to trusted networks only using WAF/firewall rules

3. Review and audit all asset volume permissions and recent asset modifications

4. Monitor GraphQL saveAsset mutation logs for suspicious cross-volume asset operations



PATCHING:

1. Upgrade Craft CMS to version 4.17.0-beta.1 or later for v4.x installations

2. Upgrade to version 5.9.0-beta.1 or later for v5.x installations

3. Test patches in staging environment before production deployment



COMPENSATING CONTROLS (if immediate patching not possible):

1. Disable GraphQL API if not actively used; restrict to authenticated users only

2. Implement strict RBAC: limit write access to asset volumes to minimal required users

3. Separate sensitive asset volumes into isolated Craft instances

4. Enable comprehensive audit logging for all GraphQL mutations



DETECTION:

1. Monitor for GraphQL saveAsset mutations with asset IDs from unauthorized volumes

2. Alert on cross-volume asset modifications by users without explicit volume permissions

3. Track failed authorization attempts in GraphQL API logs

4. Implement IDS/IPS rules to detect GraphQL API abuse patterns

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع مثيلات Craft CMS في بيئتك وتوثيق إصداراتها

2. قيد الوصول إلى واجهة برمجة تطبيقات GraphQL على الشبكات الموثوقة فقط باستخدام قواعد جدار الحماية

3. راجع وتدقيق جميع أذونات مجلدات الأصول والتعديلات الأخيرة

4. راقب سجلات طفرة saveAsset في GraphQL للعمليات المريبة عبر المجلدات

التصحيح:

1. قم بترقية Craft CMS إلى الإصدار 4.17.0-beta.1 أو أحدث لتثبيتات v4.x

2. قم بالترقية إلى الإصدار 5.9.0-beta.1 أو أحدث لتثبيتات v5.x

3. اختبر التصحيحات في بيئة التجريب قبل نشرها في الإنتاج

الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):

1. عطل واجهة برمجة تطبيقات GraphQL إذا لم تكن قيد الاستخدام النشط؛ قيدها على المستخدمين المصرح لهم فقط

2. طبق RBAC صارم: قيد حق الكتابة في مجلدات الأصول للمستخدمين المطلوبين بالحد الأدنى

3. افصل مجلدات الأصول الحساسة في مثيلات Craft معزولة

4. فعل تسجيل التدقيق الشامل لجميع طفرات GraphQL

الكشف:

1. راقب طفرات saveAsset في GraphQL بمعرفات أصول من مجلدات غير مصرح بها

2. أصدر تنبيهات عند تعديل الأصول عبر المجلدات من قبل مستخدمين بدون أذونات صريحة

3. تتبع محاولات التفويض الفاشلة في سجلات واجهة برمجة تطبيقات GraphQL

4. طبق قواعد IDS/IPS للكشف عن أنماط إساءة استخدام واجهة برمجة تطبيقات GraphQL

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.6.1.2 - Access Control: Implement proper authorization checks for all API operations ECC 2024 A.8.2.1 - Audit Logging: Maintain comprehensive logs of all asset access and modifications ECC 2024 A.5.1.1 - Information Classification: Enforce separation of restricted and private asset volumes

🔵 SAMA CSF

SAMA CSF ID.AC-1 - Access Control: Verify user permissions before granting access to sensitive assets SAMA CSF DE.AE-1 - Detection: Monitor and detect unauthorized asset access attempts SAMA CSF RS.MI-2 - Response: Implement incident response procedures for unauthorized asset modifications

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 - Segregation of duties: Enforce separation between asset volumes ISO 27001:2022 A.8.2 - User access management: Implement proper RBAC for asset operations ISO 27001:2022 A.8.3 - User responsibilities: Audit user actions on sensitive assets ISO 27001:2022 A.12.4.1 - Event logging: Log all GraphQL API mutations

🟣 PCI DSS v4.0

PCI DSS 3.2.1 - Access Control: Restrict asset access based on business need-to-know PCI DSS 10.2 - Logging: Implement comprehensive audit trails for asset modifications

🔗 References & Sources 3

🔗

https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409

security-advisories@github.com

Patch

🔗

https://github.com/craftcms/cms/releases/tag/5.8.22

security-advisories@github.com

Release Notes

🔗

https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v

security-advisories@github.com

Vendor Advisory Patch

📦 Affected Products / CPE 8 entries

craftcms:craft_cms

craftcms:craft_cms:4.0.0

craftcms:craft_cms:5.0.0

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-639

Exploit No

Patch ✓ Yes

Published 2026-02-09

Source Feed nvd

🇸🇦 Saudi Risk Score

8.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

patch-available CWE-639

🏢 Vendor Advisories

🔗 https://github.com/craftcms/cms/security/advisories/...

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-25497

Introduce Yourself

Sign In Required