CVE-2026-31857
Remote Code Execution in Craft CMS 5 Conditions System
Publication date: 2026-03-11
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 5.0.1 (inc) to 5.9.9 (exc) |
| craftcms | craft_cms | From 4.0.0.1 (inc) to 4.17.4 (exc) |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31857 is a high-severity Remote Code Execution (RCE) vulnerability in Craft CMS affecting versions prior to 5.9.9 and 4.17.4. The flaw exists in the conditions system, specifically in the BaseElementSelectConditionRule::getElementIds() method, which processes user-controlled string input through the renderObjectTemplate() function. This function performs unsandboxed Twig template rendering with escaping disabled, allowing malicious input to execute arbitrary code.
Any authenticated Control Panel user, including non-admin roles such as Author or Editor, can exploit this vulnerability by submitting a crafted condition rule via standard element listing endpoints. The exploit requires no admin privileges or special permissions beyond basic control panel access and bypasses all production hardening settings like allowAdminChanges set to false, devMode disabled, and enableTwigSandbox enabled.
To mitigate this issue, users should update to the patched versions 5.9.9 or 4.17.4 of Craft CMS.
How can this vulnerability impact me? :
This vulnerability allows any authenticated user with basic Control Panel access, including non-admin roles, to execute arbitrary code on the server remotely. This means an attacker can run malicious commands, potentially taking full control of the affected system.
Because the exploit bypasses all production hardening settings, it can lead to severe security breaches such as unauthorized data access, data manipulation, service disruption, or complete system compromise.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves crafted condition rules sent by authenticated Control Panel users through standard element listing endpoints in Craft CMS. Detection would involve monitoring for unusual or suspicious requests to these endpoints that include crafted condition rules exploiting the BaseElementSelectConditionRule::getElementIds() method.
Since the vulnerability is exploited via HTTP requests to the CMS Control Panel, network detection could focus on analyzing HTTP traffic for unusual payloads in element listing API calls.
No specific detection commands or signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to update Craft CMS to the patched versions 5.9.9 or 4.17.4, which contain fixes for this Remote Code Execution vulnerability.
The fix involves changes to the rendering process to use a sandboxed Twig environment, preventing arbitrary code execution through template rendering.
No other configuration changes or temporary workarounds are mentioned; therefore, upgrading to the fixed versions is the primary mitigation.