CVE-2026-33162: Craft CMS has an authorization bypass which allows any control panel user to move entries without permissions

March 24, 2026 (updated March 25, 2026)

An authenticated control panel user with only accessCp can move entries across sections via POST /actions/entries/move-to-section, even when they do not have saveEntries:{sectionUid} permission for either source or destination section.

References

github.com/advisories/GHSA-f582-6gf6-gx4g
github.com/craftcms/cms
github.com/craftcms/cms/commit/3c1ab1c4445dd9237855a66e6a06ecf3591a718e
github.com/craftcms/cms/releases/tag/5.9.14
github.com/craftcms/cms/security/advisories/GHSA-f582-6gf6-gx4g
nvd.nist.gov/vuln/detail/CVE-2026-33162

Code Behaviors & Features

Detect and mitigate CVE-2026-33162 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →