CVE-2026-32264
Received Received - Intake
Behavior Injection RCE in Craft CMS ElementIndexesController and FieldsController

Publication date: 2026-03-16

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-16
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32264
EUVD
EUVD-2026-12506
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 4.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 4.0.0.1 (inc) to 4.17.5 (exc)
craftcms craft_cms From 5.0.1 (inc) to 5.9.11 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32264 is a Remote Code Execution (RCE) vulnerability in Craft CMS affecting versions from 4.0.0-RC1 to before 4.17.5 and from 5.0.0-RC1 to before 5.9.11. The vulnerability arises from unsafe handling of serialized input data in the ElementIndexesController and FieldsController components. Specifically, the system parsed serialized condition configurations without proper validation or cleansing, allowing an attacker with administrator permissions and the allowAdminChanges setting enabled to inject malicious behavior that could be executed remotely.

The root cause was that serialized strings were directly parsed and passed to condition creation methods without sanitization. The fix involved adding a sanitization step using Component::cleanseConfig() to cleanse the configuration data before it is used, preventing unsafe data from being processed and thus mitigating the RCE risk.

Impact Analysis

This vulnerability can allow an attacker with Craft control panel administrator permissions and the allowAdminChanges setting enabled to execute arbitrary code remotely on the affected system. This means the attacker could potentially take full control of the server running Craft CMS, leading to unauthorized access, data theft, data manipulation, or disruption of services.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves behavior injection Remote Code Execution (RCE) in Craft CMS versions from 4.0.0-RC1 to before 4.17.5 and from 5.0.0-RC1 to before 5.9.11, specifically in ElementIndexesController and FieldsController. Detection would involve identifying if your Craft CMS installation is running a vulnerable version and if the conditions for exploitation are met (administrator permissions and allowAdminChanges enabled).

There are no explicit commands provided in the resources to detect exploitation attempts or presence of the vulnerability on your network or system.

However, as a general approach, you can check the version of Craft CMS installed by running commands like:

  • Check the composer package version: `composer show craftcms/cms`
  • Check the version in the Craft CMS control panel under Settings > System.

To detect suspicious activity related to this vulnerability, monitor logs for unusual serialized input or unexpected requests to endpoints related to ElementIndexesController or FieldsController, but no specific detection commands are provided.

Mitigation Strategies

The primary and immediate mitigation step is to update Craft CMS to a patched version where this vulnerability is fixed.

  • Upgrade to Craft CMS version 4.17.5 or later if you are on the 4.x branch.
  • Upgrade to Craft CMS version 5.9.11 or later if you are on the 5.x branch.

These versions include patches that sanitize serialized input and configuration data to prevent unsafe behavior injection leading to RCE.

Additionally, consider temporarily disabling the `allowAdminChanges` setting or restricting administrator permissions to reduce the attack surface until the update can be applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32264. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart