CVE-2026-32272
SQL Injection in Craft Commerce ProductQuery Enables Privilege Escalation
Publication date: 2026-04-13
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_commerce | From 5.0.0 (inc) to 5.5.4 (inc) |
| craftcms | craft_commerce | 5.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated control panel user to perform a boolean-based blind SQL injection to extract arbitrary database contents, including security keys that enable forging admin sessions for privilege escalation.
Such unauthorized access and potential data extraction could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding sensitive personal and health information against unauthorized access and breaches.
Therefore, exploitation of this vulnerability could compromise compliance with these common standards and regulations by exposing sensitive data and enabling privilege escalation.
Can you explain this vulnerability to me?
This vulnerability exists in Craft Commerce versions 5.0.0 through 5.5.4 and is an SQL injection issue. It occurs because the properties ProductQuery::hasVariant and VariantQuery::hasProduct bypass an input sanitization blocklist that was added in a prior security fix. The blocklist only filters certain top-level Yii2 Query properties like where and orderBy, but these two properties pass through without sanitization. Internally, they call Craft::configure() on a subquery without proper sanitization, which reintroduces the SQL injection risk.
Any authenticated control panel user can exploit this vulnerability using boolean-based blind SQL injection to extract arbitrary data from the database, including sensitive security keys. These keys could then be used to forge admin sessions, leading to privilege escalation.
The issue was fixed in version 5.6.0 of Craft Commerce.
How can this vulnerability impact me? :
This vulnerability can have serious impacts because it allows any authenticated control panel user to perform SQL injection attacks. Through this, an attacker can extract arbitrary database contents, including sensitive security keys.
With these security keys, an attacker can forge admin sessions, which leads to privilege escalation. This means the attacker could gain administrative control over the system, potentially compromising the entire ecommerce platform.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been fixed in Craft Commerce version 5.6.0. The immediate step to mitigate this vulnerability is to upgrade your Craft Commerce installation to version 5.6.0 or later.
Since the vulnerability allows authenticated control panel users to exploit SQL injection, restricting access to the control panel to trusted users and monitoring for suspicious activity may also help reduce risk until the upgrade is applied.