CVE-2026-29172 Overview
CVE-2026-29172 is a SQL Injection vulnerability affecting Craft Commerce, the ecommerce platform for Craft CMS. The vulnerability exists in the purchasables table endpoint where the sort parameter is improperly handled. When processing sort requests, the parameter is split by the pipe character (|) and the first part (column name) is passed directly as an array key to orderBy() without whitelist validation. Because Yii2's query builder does NOT escape array keys, an authenticated attacker can inject arbitrary SQL into the ORDER BY clause, potentially leading to unauthorized data access, data manipulation, or complete database compromise.
Critical Impact
Authenticated attackers can inject arbitrary SQL commands into the ORDER BY clause, potentially extracting sensitive customer data, payment information, and administrative credentials from the Craft Commerce database.
Affected Products
- Craft Commerce versions prior to 4.10.2
- Craft Commerce versions prior to 5.5.3
- craftcms craft_commerce (all vulnerable versions)
Discovery Timeline
- 2026-03-10 - CVE-2026-29172 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29172
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) stems from insufficient input validation in the sorting functionality of the purchasables table endpoint. The vulnerability affects the OrdersController.php file where user-supplied sort parameters are processed. When a request includes a sort parameter, the application splits it using the pipe delimiter and uses the resulting field name directly in the Yii2 query builder's orderBy() method.
The critical flaw lies in how Yii2's query builder handles array keys - unlike array values, keys are not automatically escaped or parameterized. This architectural decision, combined with the lack of whitelist validation in Craft Commerce, creates a direct path for SQL injection into the ORDER BY clause.
An authenticated attacker with access to the commerce administration interface can craft malicious sort parameters to execute arbitrary SQL statements. This could enable extraction of sensitive data including customer records, payment details, order history, and administrative credentials through time-based or error-based SQL injection techniques.
Root Cause
The root cause is the absence of whitelist validation for the sort field parameter before passing it to Yii2's orderBy() method. The code directly uses user input as an array key in the query builder without verifying that the field name matches an expected list of sortable columns. Yii2's query builder is designed to escape values but not array keys, creating an injection point when untrusted input is used as a key.
Attack Vector
The attack is network-based and requires authentication to the Craft CMS administrative interface. An attacker with valid credentials (even low-privileged) can manipulate the sort parameter in requests to the purchasables table endpoint. By injecting SQL syntax into the column name portion of the sort parameter, the attacker can append arbitrary SQL to the ORDER BY clause.
The following patch demonstrates how the vulnerability was addressed by implementing proper whitelist validation:
$orderQuery->search($search);
}
+ $orderQuery->orderBy('dateOrdered DESC');
if ($sort) {
- [$field, $direction] = explode('|', $sort);
+ if (is_array($sort)) {
+ $field = $sort[0]['sortField'];
+ $direction = $sort[0]['direction'];
+ } else {
+ [$field, $direction] = explode('|', $sort);
+ }
+
+ // Validate sorting
+ if (!in_array($direction, ['asc', 'desc']) ||
+ !in_array($field, [
+ 'reference',
+ 'dateOrdered',
+ 'totalPrice',
+ ])
+ ) {
+ $field = null;
+ $direction = null;
+ }
if ($field && $direction) {
$orderQuery->orderBy($field . ' ' . $direction);
Source: GitHub Commit b231b920
Detection Methods for CVE-2026-29172
Indicators of Compromise
- Unusual or malformed sort parameter values in HTTP requests to Craft Commerce endpoints containing SQL syntax such as CASE, WHEN, SLEEP(), or comment sequences (--, /*)
- Abnormal database query execution times indicating time-based SQL injection attempts
- Error messages in application logs revealing SQL syntax errors or unexpected query structures
- Suspicious access patterns to the purchasables table endpoint with repeated requests varying only in sort parameter
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in the sort parameter, specifically looking for ORDER BY injection signatures
- Enable detailed query logging on the database server to identify malformed or unusually complex ORDER BY clauses
- Monitor for authentication events followed by rapid requests to commerce administrative endpoints
- Deploy application-level logging to capture and alert on sort parameters containing non-alphanumeric characters
Monitoring Recommendations
- Configure SIEM alerts for SQL injection patterns in Craft CMS access logs
- Monitor database query performance metrics for anomalous execution times that may indicate blind SQL injection
- Implement real-time alerting on Craft Commerce administrative endpoint access with unusual parameter patterns
- Review Yii2 application logs for PDOException errors that may indicate failed injection attempts
How to Mitigate CVE-2026-29172
Immediate Actions Required
- Upgrade Craft Commerce to version 4.10.2 or later for the 4.x branch
- Upgrade Craft Commerce to version 5.5.3 or later for the 5.x branch
- Review database access logs for any evidence of exploitation prior to patching
- Consider rotating database credentials if exploitation is suspected
Patch Information
Craft CMS has released security patches addressing this vulnerability. The fixes implement proper whitelist validation for both the sort field and direction parameters, ensuring only expected values (reference, dateOrdered, totalPrice) can be used in queries.
Workarounds
- If immediate patching is not possible, implement WAF rules to block requests containing SQL keywords in the sort parameter
- Restrict access to Craft Commerce administrative interfaces to trusted IP addresses only
- Temporarily disable or restrict access to the purchasables table endpoint functionality
- Implement database-level monitoring to detect and block suspicious query patterns
# Example nginx configuration to block SQL injection patterns in sort parameter
location /admin/commerce {
# Block common SQL injection patterns in query strings
if ($args ~* "(sort=.*[;'\"()=])|(sort=.*(CASE|WHEN|THEN|ELSE|SELECT|UNION|INSERT|UPDATE|DELETE|DROP|EXEC|SLEEP))") {
return 403;
}
# Continue with normal processing
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
