Craft CMS Authorization Bypass Through User-Controlled Key Vulnerability - CVE-2026-28781

Craft is a content management system (CMS). Prior to 4.17.0-beta.1 and 5.9.0-beta.1 the entry creation process allows for Mass Assignment of the authorId attribute. A user with quotCreate Entriesquot permission can inject the authorIds (or authorId) parameter into the POST request which the backend processes without verifying if the current user is authorized to assign authorship to others. Normally this field is not present in the request for users without the necessary permissions. By manually adding this parameter an attacker can attribute the new entry to any user including Admins. This effectively quotspoofsquot the authorship. This vulnerability is fixed in 4.17.0-beta.1 and 5.9.0-beta.1.