Cyber Resilience

CVE-2026-25497

High

Published: 09 February 2026

Published
09 February 2026
Modified
19 February 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25497 is a high-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Craftcms Craft Cms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-25497 is a privilege escalation vulnerability in Craft CMS's GraphQL API, affecting versions from 4.0.0-RC1 up to but not including 4.17.0-beta.1 and 5.9.0-beta.1. The issue arises in the saveAsset GraphQL mutation, which validates authorization against the schema-resolved asset volume but fetches the target asset by ID without confirming it belongs to the authorized volume. This flaw, classified under CWE-639 (Authorization Bypass Through User-Controlled Key), carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

An authenticated attacker with write access to at least one asset volume can exploit this vulnerability over the network with low complexity and no user interaction. By targeting the saveAsset mutation with an asset ID from a different volume, they can escalate privileges to modify or transfer assets belonging to any other volume, including restricted or private ones to which they lack access.

Craft CMS advisories and patches address the issue through validation fixes in the vulnerable GraphQL mutation. The vulnerability is resolved in Craft CMS versions 4.17.0-beta.1 and 5.9.0-beta.1, with related changes visible in the fix commit at https://github.com/craftcms/cms/commit/ac7edf868c1a81fd9c4dc49d3b3edf1cce113409, release notes for 5.8.22 at https://github.com/craftcms/cms/releases/tag/5.8.22, and the security advisory at https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v. Security practitioners should upgrade affected installations immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset…

more

volume to escalate their privileges and modify/transfer assets belonging to any other volume, including restricted or private volumes to which they should not have access. The saveAsset GraphQL mutation validates authorization against the schema-resolved volume but fetches the target asset by ID without verifying that the asset belongs to the authorized volume. This allows unauthorized cross-volume asset modification and transfer. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Authorization bypass in public-facing GraphQL API (saveAsset mutation) allows authenticated attacker to escalate from limited asset volume access to unauthorized volumes/assets (CWE-639), directly enabling T1068 (Exploitation for Privilege Escalation) via T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28696Same product: Craftcms Craft Cms
CVE-2026-28784Same product: Craftcms Craft Cms
CVE-2026-32267Same product: Craftcms Craft Cms
CVE-2026-31857Same product: Craftcms Craft Cms
CVE-2026-25498Same product: Craftcms Craft Cms
CVE-2026-25495Same product: Craftcms Craft Cms
CVE-2025-68455Same product: Craftcms Craft Cms
CVE-2025-23209Same product: Craftcms Craft Cms
CVE-2025-68456Same product: Craftcms Craft Cms
CVE-2026-28783Same product: Craftcms Craft Cms

Affected Assets

craftcms
craft cms
4.0.0, 5.0.0 · 4.0.0 — 4.17.0 · 5.0.0 — 5.9.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations in the GraphQL API to verify that fetched assets by ID belong to the schema-resolved authorized volume, preventing cross-volume privilege escalation.

prevent

Validates the user-supplied asset ID input in the saveAsset mutation against the authorized volume to block unauthorized modifications or transfers.

preventrecover

Requires timely remediation of flaws like the authorization bypass in Craft CMS's saveAsset GraphQL mutation, as fixed in versions 4.17.0-beta.1 and 5.9.0-beta.1.

References