CVE-2025-68456
Unauthenticated Backup Trigger in Craft Causes Resource Exhaustion
Publication date: 2026-01-05
Last updated on: 2026-01-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft | From 5.0.0 (inc) to 5.8.20 (inc) |
| craftcms | craft | From 3.0.0 (inc) to 4.16.16 (inc) |
| craftcms | craft | 5.8.21 |
| craftcms | craft | 4.16.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-202 | When trying to keep information confidential, an attacker can often infer some of the information by using statistics. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Craft platform versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16 allows unauthenticated users to trigger database backup operations via specific admin actions. This can lead to resource exhaustion or information disclosure.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing unauthenticated users to cause resource exhaustion on your system or potentially disclose sensitive information through unauthorized database backup operations.
What immediate steps should I take to mitigate this vulnerability?
Update Craft CMS to the patched versions: 5.8.21 or later for the 5.x series, and 4.16.17 or later for the 3.x and 4.x series. Users of Craft 3 should upgrade to the latest Craft 4 and 5 releases which include the fixes.