CVE-2026-32264
Behavior Injection RCE in Craft CMS ElementIndexesController and FieldsController
Publication date: 2026-03-16
Last updated on: 2026-03-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 4.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 4.0.0.1 (inc) to 4.17.5 (exc) |
| craftcms | craft_cms | From 5.0.1 (inc) to 5.9.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-470 | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32264 is a Remote Code Execution (RCE) vulnerability in Craft CMS affecting versions from 4.0.0-RC1 to before 4.17.5 and from 5.0.0-RC1 to before 5.9.11. The vulnerability arises from unsafe handling of serialized input data in the ElementIndexesController and FieldsController components. Specifically, the system parsed serialized condition configurations without proper validation or cleansing, allowing an attacker with administrator permissions and the allowAdminChanges setting enabled to inject malicious behavior that could be executed remotely.
The root cause was that serialized strings were directly parsed and passed to condition creation methods without sanitization. The fix involved adding a sanitization step using Component::cleanseConfig() to cleanse the configuration data before it is used, preventing unsafe data from being processed and thus mitigating the RCE risk.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with Craft control panel administrator permissions and the allowAdminChanges setting enabled to execute arbitrary code remotely on the affected system. This means the attacker could potentially take full control of the server running Craft CMS, leading to unauthorized access, data theft, data manipulation, or disruption of services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves behavior injection Remote Code Execution (RCE) in Craft CMS versions from 4.0.0-RC1 to before 4.17.5 and from 5.0.0-RC1 to before 5.9.11, specifically in ElementIndexesController and FieldsController. Detection would involve identifying if your Craft CMS installation is running a vulnerable version and if the conditions for exploitation are met (administrator permissions and allowAdminChanges enabled).
There are no explicit commands provided in the resources to detect exploitation attempts or presence of the vulnerability on your network or system.
However, as a general approach, you can check the version of Craft CMS installed by running commands like:
- Check the composer package version: `composer show craftcms/cms`
- Check the version in the Craft CMS control panel under Settings > System.
To detect suspicious activity related to this vulnerability, monitor logs for unusual serialized input or unexpected requests to endpoints related to ElementIndexesController or FieldsController, but no specific detection commands are provided.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to update Craft CMS to a patched version where this vulnerability is fixed.
- Upgrade to Craft CMS version 4.17.5 or later if you are on the 4.x branch.
- Upgrade to Craft CMS version 5.9.11 or later if you are on the 5.x branch.
These versions include patches that sanitize serialized input and configuration data to prevent unsafe behavior injection leading to RCE.
Additionally, consider temporarily disabling the `allowAdminChanges` setting or restricting administrator permissions to reduce the attack surface until the update can be applied.