{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41128", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.737Z", "datePublished": "2026-04-21T23:32:37.911Z", "dateUpdated": "2026-04-21T23:32:37.911Z"}, "containers": {"cna": {"title": "Craft CMS has a Missing Authorization Check on User Group Removal via save-permissions Action", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3"}, {"name": "https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.6.0, < 5.9.15", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:32:37.911Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch."}], "source": {"advisory": "GHSA-jq2f-59pj-p3m3", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups()` enforces per-group authorization for additions, it performs no equivalent authorization check for removals, so submitting an empty `groups` value removes all existing group memberships. Version 5.9.15 contains a patch."}], "id": "CVE-2026-41128", "lastModified": "2026-04-22T00:16:28.593", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:28.593", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T04:25:50.624094+00:00", "value": {"mitigation_remediation": ["Upgrade to Craft CMS 5.9.15 or later to resolve the missing authorization check.", "Revoke or restrict the viewUsers permission from users who do not require it to view user data.", "Enable logging or audit trails for user group changes to detect unauthorized modifications."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Removal of User Group Memberships"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Craft CMS, v5.6.0 to v5.9.14. A patch was released in version 5.9.15, so all installations running any version in that range are impacted.", "description_and_impact": "Craft CMS versions 5.6.0 through 5.9.14 contain a missing authorization check that allows any authenticated user with the minimal viewUsers permission to submit an empty groups list to the actionSavePermissions endpoint, which removes all users from their groups. This oversight effectively lets an authorized user alter or remove the group memberships of any other user, potentially causing loss of privileges or disabling of user accounts. The flaw is an instance of an Authorization Bypass (CWE\u2011862).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. The flaw is exploitable only by users with at least viewUsers permission; an attacker would need to be authenticated and able to submit a crafted request to the save-permissions endpoint. Because the attack requires existing legitimate privileges, the risk is primarily internal. Upgrading to a fixed version distinguishes the environment from exposure."}}}}, "created": "2026-04-22T04:30:05.304361+00:00", "updated": "2026-04-22T04:30:05.304373+00:00", "vendors": []}