CVE-2026-55792
Received Received - Intake

Data URL File Read in Craft CMS

Vulnerability report for CVE-2026-55792, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: GitHub, Inc.

Description

Craft CMS is a content management system (CMS). In versions starting from 4.0.0-RC1 and prior to 4.18.0, and 5.0.0-RC1 and above, prior to 5.10.0, the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the utility:system-messages permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing dataUrl() protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover. This issue has been fixed in versions 4.18.0 and 5.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_cms From 4.0.0-RC1 (inc) to 4.18.0 (exc)
craftcms craft_cms From 5.0.0-RC1 (inc) to 5.10.0 (exc)
craftcms craft_cms 4.18.0
craftcms craft_cms 5.10.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-55792 is a Sensitive File Disclosure vulnerability in Craft CMS versions 4.x (from 4.0.0-RC1 up to 4.18) and 5.x (from 5.0.0-RC1 up to 5.10). The vulnerability arises because the dataUrl() Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user with the utility:system-messages permission to embed a file-reading payload into system email templates.

When these emails are sent, the server reads the targeted file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which contains sensitive information such as database passwords, the CRAFT_SECURITY_KEY, and third-party API keys, bypasses existing protections and is fully exfiltrated.

Obtaining the CRAFT_SECURITY_KEY allows an attacker to forge session tokens and escalate privileges to a full admin account takeover. The vulnerability exists because the dataUrl() function does not restrict access to dotfiles like .env or system directories and PHP files.

This issue was fixed in Craft CMS versions 4.18 and 5.10.

Impact Analysis

This vulnerability can have severe impacts including unauthorized disclosure of sensitive files such as the .env file, which contains critical secrets like database passwords, security keys, and API keys.

An attacker who exploits this vulnerability can obtain the CRAFT_SECURITY_KEY, enabling them to forge session tokens and escalate their privileges to gain full administrative control over the Craft CMS installation.

Because the utility:system-messages permission can be granted to non-admin users, even users with limited privileges could exploit this vulnerability if email sending is configured, increasing the risk of compromise.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft CMS to a fixed version where the issue is resolved.

  • Upgrade to Craft CMS version 4.18.0 or later if you are using the 4.x series.
  • Upgrade to Craft CMS version 5.10.0 or later if you are using the 5.x series.

Additionally, review and restrict the assignment of the utility:system-messages permission to trusted users only, as this permission allows embedding file-reading payloads in system email templates.

Compliance Impact

This vulnerability allows unauthorized disclosure of sensitive files such as the .env file, which contains database passwords, security keys, and third-party API keys. Such exposure of sensitive data can lead to unauthorized access and full admin account takeover.

The exfiltration of sensitive information could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on the confidentiality and integrity of personal and sensitive data.

Organizations using affected versions of Craft CMS may face compliance risks if this vulnerability is exploited, as it compromises the security of critical credentials and potentially personal data handled by the system.

Detection Guidance

This vulnerability involves the exploitation of the dataUrl() Twig function in Craft CMS email templates by users with the utility:system-messages permission to read sensitive files like the .env file. Detection involves checking for suspicious email templates or email traffic containing base64-encoded data URLs that may include sensitive file contents.

To detect exploitation attempts on your system, you can:

  • Review email templates in the Craft CMS control panel for unauthorized or suspicious use of the dataUrl() function.
  • Audit user permissions to verify which users have the utility:system-messages permission.
  • Monitor outgoing emails for base64-encoded data URLs that may contain file contents, especially those referencing dotfiles like .env.

Example commands to help detect suspicious activity might include:

  • On the mail server, search email logs for base64-encoded strings or data URLs: grep -i 'data:text/plain;base64' /var/log/mail.log
  • On the Craft CMS server, search template files for usage of dataUrl(): grep -r 'dataUrl(' /path/to/craft/templates
  • Check user permissions in the database or control panel to identify users with utility:system-messages permission.

Note that no specific detection commands are provided in the available resources, so these suggestions are based on the nature of the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55792. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart