Craft CMS Authorization Bypass Through User-Controlled Key Vulnerability - CVE-2026-28782

Craft is a content management system (CMS). Prior to 5.9.0-beta.1 and 4.17.0-beta.1 the quotDuplicatequot entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only quotView Entriesquot permission (where the quotDuplicatequot action is restricted in the UI) a user can bypass this restriction by sending a direct request. Furthermore this vulnerability allows duplicating other users39 entries by specifying their Entry IDs. Since Entry IDs are incremental an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system. This vulnerability is fixed in 5.9.0-beta.1 and 4.17.0-beta.1.