CVE-2026-25497
📋 TL;DR
This CVE describes a privilege escalation vulnerability in Craft CMS's GraphQL API where authenticated users with write access to one asset volume can modify or transfer assets belonging to any other volume, including restricted or private volumes. The vulnerability occurs because authorization is validated against the schema-resolved volume but the target asset is fetched by ID without verifying it belongs to the authorized volume. This affects Craft CMS installations with authenticated users who have asset write permissions.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with minimal permissions could gain unauthorized access to sensitive assets in restricted volumes, potentially modifying or exfiltrating confidential data, intellectual property, or user-uploaded content.
Likely Case
Malicious or compromised users with legitimate asset write permissions could access and manipulate assets in volumes they shouldn't have access to, leading to data integrity issues and unauthorized data access.
If Mitigated
With proper access controls and monitoring, the impact is limited to authenticated users only, but could still result in unauthorized cross-volume data manipulation if exploited.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of asset IDs, but the vulnerability itself is straightforward to exploit once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.17.0-beta.1 and 5.9.0-beta.1
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-fxp3-g6gw-4r4v
Restart Required: No
Instructions:
1. Update Craft CMS to version 4.17.0-beta.1 or later for Craft 4 installations
2. Update Craft CMS to version 5.9.0-beta.1 or later for Craft 5 installations
3. Verify the update was successful by checking the version
🔧 Temporary Workarounds
Disable GraphQL API
allTemporarily disable the GraphQL API if not required for functionality
Set 'enableGraphql' to false in config/general.php
Restrict Asset Volume Access
allReview and tighten user permissions to minimize users with asset write access
🧯 If You Can't Patch
- Implement strict monitoring of GraphQL API requests for unusual cross-volume asset access patterns
- Apply network segmentation to isolate Craft CMS instances and restrict access to authenticated users only
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or by examining the composer.json file. If version is between 4.0.0-RC1 and before 4.17.0-beta.1, or before 5.9.0-beta.1, the system is vulnerable.Check Version:
php craft --versionVerify Fix Applied:
After updating, verify the version is 4.17.0-beta.1 or later for Craft 4, or 5.9.0-beta.1 or later for Craft 5. Test that authenticated users can no longer modify assets across unauthorized volumes.📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL saveAsset mutation requests targeting assets across different volumes
- Failed authorization attempts for asset modifications
- Asset modification logs showing cross-volume activity
Network Indicators:
- GraphQL API requests with saveAsset mutations containing asset IDs from multiple volumes
- Increased GraphQL traffic from authenticated users
SIEM Query:
source="craft_logs" AND ("saveAsset" OR "GraphQL") AND ("volume" OR "asset") AND status="success" | stats count by user, asset_volume