CVE-2026-28782: Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action

March 3, 2026 (updated March 4, 2026)

The “Duplicate” entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only “View Entries” permission (where the “Duplicate” action is restricted in the UI), a user can bypass this restriction by sending a direct request.

Furthermore, this vulnerability allows duplicating other users’ entries by specifying their Entry IDs. Since Entry IDs are incremental, an attacker can trivially brute-force these IDs to duplicate and access restricted content across the system.

References

github.com/advisories/GHSA-jxm3-pmm2-9gf6
github.com/craftcms/cms
github.com/craftcms/cms/commit/fb61a91357f5761c852400185ba931f51d82783d
github.com/craftcms/cms/security/advisories/GHSA-jxm3-pmm2-9gf6
nvd.nist.gov/vuln/detail/CVE-2026-28782

Code Behaviors & Features

Detect and mitigate CVE-2026-28782 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →