Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-32261 is a high-severity remote code execution (RCE) vulnerability in the Craft CMS Webhooks plugin versions 3.0.0 to before 3.2.0. The plugin renders user-supplied template content using Twig's renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions for the Webhooks plugin to inject Twig template code that can execute arbitrary PHP functions. This can happen even if the allowAdminChanges setting is false. The vulnerability was fixed in version 3.2.0 by introducing a sandboxed Twig environment to restrict template rendering."}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with access to the Craft CMS control panel and Webhooks plugin permissions to execute arbitrary PHP code on the server. This can lead to remote code execution, potentially compromising the server, exposing sensitive data, or allowing further attacks within the environment. The risk is high because the exploit does not require additional user interaction and bypasses certain configuration protections.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability affects Craft CMS Webhooks plugin versions from 3.0.0 up to but not including 3.2.0. Detection involves verifying the installed plugin version and checking for unauthorized or suspicious webhook templates that may contain malicious Twig code.'}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, first identify the version of the Webhooks plugin installed. You can do this by checking the plugin version in the Craft CMS control panel or by inspecting the plugin files.'}, {'type': 'paragraph', 'content': 'Additionally, you can search for suspicious Twig template code injections in the webhook configurations. Since the vulnerability allows execution of arbitrary PHP functions via Twig templates, look for unusual Twig syntax or function calls in webhook templates.'}, {'type': 'paragraph', 'content': 'Example commands to check the plugin version and search for suspicious Twig code in webhook templates (assuming access to the server and plugin files):'}, {'type': 'list_item', 'content': "Check the plugin version in the composer.lock or plugin directory: `grep 'webhooks' composer.lock` or check the version file in the plugin directory."}, {'type': 'list_item', 'content': "Search for Twig template usage in webhook configuration files or database entries: `grep -r '{{' path/to/webhooks/config` or query the database for webhook templates containing Twig syntax."}, {'type': 'list_item', 'content': 'Monitor network traffic for unusual GET or POST requests triggered by webhooks that may indicate exploitation attempts.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the Craft CMS Webhooks plugin to version 3.2.0 or later, where the vulnerability has been patched by introducing a sandboxed Twig environment for rendering webhook templates.

If immediate updating is not possible, restrict access to the Craft control panel and the Webhooks plugin to trusted authenticated users only, as exploitation requires authenticated access with permissions to the Webhooks plugin.

Enable the `enableTwigSandbox` setting if available, which enforces sandboxing of Twig template rendering and mitigates arbitrary code execution risks.

Review and audit existing webhook templates for any suspicious or unauthorized Twig code and remove or sanitize them.

Useful 0 Not Useful 0