Craft CMS User Group Removal Authorization Bypass (CVE-2026-41128)

Craft CMS User Group Removal Privilege Escalation Vulnerability Summary Vulnerability Overview Title: Missing Authorization Check on User Group Removal via save-permissions Action CVE ID: CVE-2026-41128 Severity: Moderate Reporter: kamimura Published: Last week Core Issue: In Craft CMS, the endpoint allows users with the permission to remove all user groups from any user. Although the endpoint performs group-based authorization checks for "add" operations, it does not perform an equivalent check for "remove" operations. Submitting an empty value removes all existing group memberships of that user. Affected Versions: Craft CMS 5.6.0 to 5.9.14 (latest at time of report) Regression introduced in 5.6.0 when permission was added Prior to 5.6.0, required permission, implicitly protecting this endpoint Requires Pro edition or higher (vulnerable code path gated by ) Root Cause: This is a regression vulnerability introduced in Craft CMS 5.6.0. Before the addition of the permission, required the permission to access other users’ data, which implicitly protected . After the change, became reachable by users with read-only access, but the underlying group-saving logic still lacked authorization checks for group removal. The vulnerability consists of two parts: 1. accessible via read-only access: The operation only requires a control panel request and delegates to , which now only checks the permission—a permission explicitly documented as “read-only access to user elements.” 2. Asymmetric authorization in : This method only checks the permission when adding groups to a new user. When the parameter is an empty string (empty array), the loop is entirely skipped, no authorization check is performed, and all group memberships are removed. Prerequisites: Attacker has a control panel account with and permissions Target user belongs to one or more user groups granting additional permissions Pro edition or higher Attack Steps: 1. Attacker authenticates to the control panel 2. Attacker sends a POST request to with the following parameters: - = target user’s ID - = "" (empty string) 3. All group memberships of the target user are removed 4. All permissions inherited from those groups are immediately revoked Impact: Permission Revocation: Attacker can strip group-based permissions from any user, including accounts whose effective access rights derive from group memberships Denial of Access: Users lose access to sections, volumes, and features granted via group memberships Bypass Elevation Session Requirement: Group removal does not trigger (only triggered when adding new groups) Scope of Impact Affected Versions: >= 5.6.0, <= 5.9.15 Fixed Version: 5.9.15 Package: craftcms/cms (Composer) Remediation Upgrade to Craft CMS 5.9.15 or later to fix this vulnerability. POC/Exploit Code No specific POC code block provided on the page, but attack steps and request parameters are described:

Goal Reached Thanks to every supporter — we hit 100%!

Craft CMS User Group Removal Authorization Bypass (CVE-2026-41128)

More from this source