CVE-2026-25495 Overview
CVE-2026-25495 is a SQL Injection vulnerability affecting Craft CMS, a popular platform for creating digital experiences. The vulnerability exists in the element-indexes/get-elements endpoint, where the criteria[orderBy] parameter in the JSON body is not properly sanitized before being used in database queries. This allows authenticated attackers with Control Panel access to inject arbitrary SQL into the ORDER BY clause, potentially leading to unauthorized data access, modification, or complete database compromise.
Critical Impact
Authenticated attackers can exploit this SQL Injection vulnerability to extract sensitive data, modify database contents, or potentially escalate privileges within the Craft CMS application.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.16.17
- Craft CMS versions 5.0.0-RC1 through 5.8.21
Discovery Timeline
- 2026-02-09 - CVE-2026-25495 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-25495
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), occurring when user-controlled input is incorporated into SQL queries without proper sanitization. The element-indexes/get-elements endpoint accepts a JSON body containing criteria parameters that configure how elements are retrieved from the database. The criteria[orderBy] parameter is directly used in constructing the ORDER BY clause of SQL queries without validation or escaping.
An attacker with Control Panel access can exploit this vulnerability by omitting the viewState[order] parameter or setting both parameters to the same malicious payload. This allows injection of arbitrary SQL statements into the query, potentially enabling data exfiltration, data manipulation, or further exploitation of the underlying database system.
Root Cause
The root cause of this vulnerability is insufficient input validation in the ElementIndexesController.php file. The application directly accepts user-supplied values for query construction parameters including orderBy, where, select, groupBy, join, having, union, and other database query components without sanitization. This design flaw allows attackers to manipulate the structure and behavior of database queries.
Attack Vector
The vulnerability is exploited over the network by authenticated users with Control Panel access. The attack requires:
- Valid authentication credentials for the Craft CMS Control Panel
- Crafting a malicious JSON request to the element-indexes/get-elements endpoint
- Including SQL injection payloads in the criteria[orderBy] parameter
- Omitting or manipulating the viewState[order] parameter to ensure the malicious payload is processed
The following patch demonstrates how the vulnerability was addressed by removing unsupported and dangerous criteria attributes:
$criteria['draftOf'] = filter_var($criteria['draftOf'], FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
}
}
// Remove unsupported criteria attributes
unset(
$criteria['where'],
$criteria['orderBy'],
$criteria['indexBy'],
$criteria['select'],
$criteria['selectOption'],
$criteria['from'],
$criteria['groupBy'],
$criteria['join'],
$criteria['having'],
$criteria['union'],
$criteria['withQueries'],
$criteria['params'],
);
Craft::configure($query, Component::cleanseConfig($criteria));
}
Source: GitHub Commit Changes
Detection Methods for CVE-2026-25495
Indicators of Compromise
- Unusual or malformed requests to the element-indexes/get-elements endpoint containing SQL syntax in JSON parameters
- Database error logs showing SQL syntax errors or unexpected ORDER BY clause contents
- Evidence of data exfiltration or unauthorized database queries in application or database logs
- Anomalous Control Panel activity from compromised or suspicious user accounts
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in JSON request bodies
- Monitor access logs for repeated requests to /admin/element-indexes/get-elements with unusual parameter values
- Enable detailed SQL query logging and alert on queries with unexpected ORDER BY clause structures
- Deploy intrusion detection systems configured to identify SQL injection attack signatures
Monitoring Recommendations
- Configure real-time alerting for SQL errors originating from the ElementIndexesController
- Implement anomaly detection for Control Panel user activity patterns
- Monitor database query execution times for unusually long-running queries that may indicate blind SQL injection attempts
- Enable audit logging for all Control Panel authentication events and administrative actions
How to Mitigate CVE-2026-25495
Immediate Actions Required
- Update Craft CMS to version 4.16.18 or 5.8.22 immediately
- Review Control Panel access logs for evidence of exploitation attempts
- Audit user accounts with Control Panel access and revoke unnecessary privileges
- Implement network-level restrictions on Control Panel access if possible
Patch Information
Craft CMS has released security patches addressing this vulnerability. Users should update to the following versions:
- Craft CMS 4.x: Update to version 4.16.18 or later
- Craft CMS 5.x: Update to version 5.8.22 or later
Detailed patch information is available in the GitHub Security Advisory GHSA-2453 and the GitHub Release 5.8.22.
Workarounds
- Restrict Control Panel access to trusted IP addresses using firewall rules or .htaccess configuration
- Implement additional authentication layers (VPN, MFA) for Control Panel access
- Deploy a Web Application Firewall with SQL injection detection rules in front of the Craft CMS application
- Temporarily disable or restrict access to the element-indexes functionality if immediate patching is not possible
# Example: Restrict Craft CMS Control Panel access by IP in nginx
location /admin {
allow 192.168.1.0/24;
allow 10.0.0.0/8;
deny all;
try_files $uri $uri/ /index.php?$query_string;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
