CVE-2026-31857
Received Received - Intake
Remote Code Execution in Craft CMS 5 Conditions System

Publication date: 2026-03-11

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-31857
EUVD
EUVD-2026-11257
Affected Vendors & Products
Showing 12 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 5.0.1 (inc) to 5.9.9 (exc)
craftcms craft_cms From 4.0.0.1 (inc) to 4.17.4 (exc)
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-31857 is a high-severity Remote Code Execution (RCE) vulnerability in Craft CMS affecting versions prior to 5.9.9 and 4.17.4. The flaw exists in the conditions system, specifically in the BaseElementSelectConditionRule::getElementIds() method, which processes user-controlled string input through the renderObjectTemplate() function. This function performs unsandboxed Twig template rendering with escaping disabled, allowing malicious input to execute arbitrary code.

Any authenticated Control Panel user, including non-admin roles such as Author or Editor, can exploit this vulnerability by submitting a crafted condition rule via standard element listing endpoints. The exploit requires no admin privileges or special permissions beyond basic control panel access and bypasses all production hardening settings like allowAdminChanges set to false, devMode disabled, and enableTwigSandbox enabled.

To mitigate this issue, users should update to the patched versions 5.9.9 or 4.17.4 of Craft CMS.

Impact Analysis

This vulnerability allows any authenticated user with basic Control Panel access, including non-admin roles, to execute arbitrary code on the server remotely. This means an attacker can run malicious commands, potentially taking full control of the affected system.

Because the exploit bypasses all production hardening settings, it can lead to severe security breaches such as unauthorized data access, data manipulation, service disruption, or complete system compromise.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves crafted condition rules sent by authenticated Control Panel users through standard element listing endpoints in Craft CMS. Detection would involve monitoring for unusual or suspicious requests to these endpoints that include crafted condition rules exploiting the BaseElementSelectConditionRule::getElementIds() method.

Since the vulnerability is exploited via HTTP requests to the CMS Control Panel, network detection could focus on analyzing HTTP traffic for unusual payloads in element listing API calls.

No specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

The immediate and recommended mitigation step is to update Craft CMS to the patched versions 5.9.9 or 4.17.4, which contain fixes for this Remote Code Execution vulnerability.

The fix involves changes to the rendering process to use a sandboxed Twig environment, preventing arbitrary code execution through template rendering.

No other configuration changes or temporary workarounds are mentioned; therefore, upgrading to the fixed versions is the primary mitigation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-31857. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart