CVE-2026-28783 Overview
CVE-2026-28783 is a critical Code Injection vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in Craft CMS's implementation of a blocklist designed to prevent dangerous PHP functions from being executed via Twig non-Closure arrow functions. Due to an incomplete blocklist, several PHP functions remain accessible, enabling malicious actors with elevated privileges to execute various attack payloads including Remote Code Execution (RCE), arbitrary file reads, Server-Side Request Forgery (SSRF), and Server-Side Template Injection (SSTI).
Critical Impact
Attackers with administrative access or compromised admin accounts can bypass Craft CMS's security controls to achieve remote code execution, read arbitrary files, perform SSRF attacks, and exploit SSTI vulnerabilities due to an incomplete PHP function blocklist in Twig template processing.
Affected Products
- Craft CMS versions prior to 5.9.0-beta.1
- Craft CMS versions prior to 4.17.0-beta.1
- All Craft CMS 4.x versions from 4.0.0 onwards (including RC releases)
- All Craft CMS 5.x versions from 5.0.0 onwards (including RC releases)
Discovery Timeline
- 2026-03-04 - CVE-2026-28783 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28783
Vulnerability Analysis
This vulnerability stems from a weakness classified as CWE-94 (Improper Control of Generation of Code / Code Injection). Craft CMS uses Twig as its templating engine and implements a security mechanism designed to prevent the execution of dangerous PHP functions through Twig's non-Closure arrow functions. However, the blocklist implementation is incomplete, leaving several potentially dangerous PHP functions accessible to users with sufficient privileges.
Successful exploitation requires one of three conditions to be met: the allowAdminChanges configuration option must be enabled in production environments, the attacker must have compromised an administrative account, or the attacker must have access to the System Messages utility. When any of these prerequisites are satisfied, an attacker can leverage the unblocked PHP functions to execute a variety of malicious payloads.
The attack surface is network-accessible, meaning remote exploitation is possible once the authentication requirements are met. The vulnerability affects both the confidentiality and integrity of the system, as attackers can read arbitrary files and execute arbitrary code on the underlying server.
Root Cause
The root cause of CVE-2026-28783 is an incomplete security blocklist implementation. Craft CMS maintains a list of PHP functions that should be blocked when processing Twig templates to prevent code injection attacks. However, this blocklist fails to include several dangerous PHP functions that can be abused for malicious purposes. This oversight allows attackers to call these unblocked functions through Twig's arrow function syntax, bypassing the intended security controls.
Attack Vector
The attack is executed over the network and requires the attacker to have elevated privileges within the Craft CMS application. The attack flow involves:
- The attacker gains access to an administrative account or leverages an account with access to the System Messages utility
- Through the Twig templating interface, the attacker crafts a malicious template using arrow function syntax
- The attacker calls PHP functions that are not included in the blocklist
- These function calls can result in RCE, arbitrary file reads, SSRF, or SSTI depending on the functions used
The vulnerability mechanism involves exploiting the gap between intended and actual function restrictions in Craft CMS's Twig template processing. When a template is rendered, Twig arrow functions that call unblocked PHP functions are executed on the server, allowing the attacker to perform unauthorized actions. For detailed technical information about the specific functions affected, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-28783
Indicators of Compromise
- Unusual or unauthorized modifications to Twig templates, particularly those containing arrow function syntax
- Unexpected outbound network connections from the web server (potential SSRF activity)
- Anomalous file access patterns, especially reads of sensitive configuration files
- Suspicious administrative account activity or login attempts from unfamiliar locations
Detection Strategies
- Monitor Craft CMS audit logs for template modifications by administrative users
- Implement web application firewall rules to detect template injection patterns in HTTP requests
- Deploy file integrity monitoring on Twig template directories to detect unauthorized changes
- Review server logs for unusual PHP function execution patterns or error messages
Monitoring Recommendations
- Enable comprehensive logging for Craft CMS administrative actions, particularly template editing
- Configure alerts for new administrative account creation or privilege escalation
- Monitor outbound network traffic from web servers for SSRF-related activity
- Implement real-time monitoring for file access anomalies on the server
How to Mitigate CVE-2026-28783
Immediate Actions Required
- Upgrade Craft CMS 5.x installations to version 5.9.0-beta.1 or later immediately
- Upgrade Craft CMS 4.x installations to version 4.17.0-beta.1 or later immediately
- Audit administrative accounts and remove unnecessary privileges from user accounts
- Disable allowAdminChanges in production environments if not strictly required
Patch Information
Craft CMS has released patched versions that address this vulnerability. The fix is available in versions 5.9.0-beta.1 and 4.17.0-beta.1. Organizations running affected versions should update to these releases as soon as possible. The GitHub Pull Request #18208 contains the technical details of the fix, and the GitHub Security Advisory GHSA-5fvc-7894-ghp4 provides additional context about the vulnerability.
Workarounds
- Set allowAdminChanges to false in production environments to reduce the attack surface
- Restrict access to the System Messages utility to only essential personnel
- Implement strong multi-factor authentication for all administrative accounts
- Review and audit all existing Twig templates for potentially malicious code before upgrading
# Configuration example - Disable admin changes in production
# In your .env file or config/general.php
# Set allowAdminChanges to false for production environments
# .env approach:
ALLOW_ADMIN_CHANGES=false
# config/general.php approach:
# return [
# 'allowAdminChanges' => false,
# ];
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
