Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32263 is a remote code execution (RCE) vulnerability in Craft CMS versions 5.6.0 to before 5.9.11. The issue arises because the application takes a settings array parsed from user input and passes it directly to a configuration method without proper sanitization. Specifically, the $settings array from parse_str is passed to Craft::configure() without cleansing via Component::cleanseConfig(). This allows an attacker to inject Yii2 behavior or event handlers using specially crafted keys prefixed with "as" or "on".'}, {'type': 'paragraph', 'content': 'To exploit this vulnerability, an attacker must have Craft control panel administrator permissions and the allowAdminChanges setting must be enabled. The vulnerability enables the attacker to execute arbitrary code remotely by injecting malicious configuration data.'}, {'type': 'paragraph', 'content': 'The vulnerability was patched in Craft CMS version 5.9.11 by adding a sanitization step that cleanses the configuration data before it is applied.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to remote code execution on the affected Craft CMS system. An attacker with administrator permissions and the allowAdminChanges setting enabled can inject malicious behavior or event handlers, potentially taking full control of the CMS.

The impact includes unauthorized execution of arbitrary code, which can compromise the integrity, confidentiality, and availability of the system and its data.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves unsafe handling of configuration data in Craft CMS versions 5.6.0 to before 5.9.11, specifically in the EntryTypesController.php file where the $settings array from parse_str is passed without sanitization. Detection would involve checking if your Craft CMS installation is within the vulnerable version range and if the vulnerable code pattern exists.'}, {'type': 'paragraph', 'content': 'You can detect the vulnerability by verifying the installed Craft CMS version and inspecting the presence of the unsafe code pattern in the file src/controllers/EntryTypesController.php, particularly in the actionApplyOverrideSettings() method.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect the vulnerability on your system include:'}, {'type': 'list_item', 'content': 'Check the installed Craft CMS version (replace path as needed):\n php craft --version'}, {'type': 'list_item', 'content': "Search for the vulnerable code pattern in the source code:\n grep -A 5 'function actionApplyOverrideSettings' path/to/craftcms/src/controllers/EntryTypesController.php"}, {'type': 'list_item', 'content': "Look for usage of parse_str and Craft::configure without cleansing:\n grep -E 'parse_str|Craft::configure' path/to/craftcms/src/controllers/EntryTypesController.php"}, {'type': 'paragraph', 'content': 'Additionally, monitoring for unusual administrator activity or unexpected behavior in the control panel could indicate exploitation attempts, but no specific network detection commands are provided in the resources.'}] [2, 1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary and immediate mitigation step is to update Craft CMS to version 5.9.11 or later, where the vulnerability has been patched by adding sanitization of the $settings array using Component::cleanseConfig() before applying configuration changes.

If updating immediately is not possible, ensure that only trusted users have control panel administrator permissions and that the allowAdminChanges setting is disabled to reduce the risk of exploitation.

Review and restrict access to the Craft CMS control panel to prevent unauthorized users from exploiting this vulnerability.

Useful 0 Not Useful 0