Auth bypass in Craftcms Cms

CVE-2026-41128

Craft CMS is a content management system (CMS). In versions 5.6.0 through 5.9.14, the `actionSavePermissions()` endpoint allows a user with only `viewUsers` permission to remove arbitrary users from all user groups. While `_saveUserGroups(…

Vulnerability class: Broken Access Control

EPSS: 0.000 (12.6th percentile) — read the EPSS interpretation.

Affected products

Craftcms Cms — versions >= 5.6.0, < 5.9.15

Weakness classification (CWE)

CWE-862 — Missing Authorization

References

https://github.com/craftcms/cms/security/advisories/GHSA-jq2f-59pj-p3m3 (x_refsource_CONFIRM)
https://github.com/craftcms/cms/commit/b135384808ad43fcf8836a9dd9b877fb0087bc27 (x_refsource_MISC)