CVE-2026-29174 Overview
Craft Commerce, an ecommerce platform for Craft CMS, contains a critical SQL Injection vulnerability in the inventory levels table data endpoint. Prior to version 5.5.3, the sort[0][direction] and sort[0][sortField] parameters are concatenated directly into an addOrderBy() clause without any validation or sanitization. An authenticated attacker with access to the Commerce Inventory section can inject arbitrary SQL queries, potentially leading to a full database compromise.
Critical Impact
Authenticated attackers can execute arbitrary SQL queries through the inventory levels endpoint, potentially extracting sensitive data, modifying database contents, or achieving full database compromise.
Affected Products
- Craft Commerce versions prior to 5.5.3
- craftcms craft_commerce (all versions before the security patch)
- Craft CMS installations utilizing the Commerce Inventory feature
Discovery Timeline
- 2026-03-10 - CVE-2026-29174 published to NVD
- 2026-03-11 - Last updated in NVD database
Technical Details for CVE-2026-29174
Vulnerability Analysis
This SQL Injection vulnerability exists within the inventory management functionality of Craft Commerce. The flaw occurs because user-controlled input from sorting parameters is directly incorporated into SQL query construction without proper validation or sanitization. Specifically, the sort[0][direction] and sort[0][sortField] parameters passed to the inventory levels table data endpoint are concatenated into an addOrderBy() clause, creating a classic injection point.
The vulnerability requires authentication and access to the Commerce Inventory section, limiting the attack surface to users with elevated privileges. However, once exploited, an attacker gains the ability to execute arbitrary SQL commands against the underlying database, potentially extracting sensitive customer data, payment information, or administrative credentials stored within the Craft CMS database.
Root Cause
The root cause is insufficient input validation in the InventoryController.php file. The sorting field and direction values are accepted from user input and passed directly to the query builder without being validated against an allowlist of permitted values. This violates the principle of treating all user input as untrusted and allows attackers to break out of the intended SQL context.
Attack Vector
The attack is network-based and requires low-privilege authentication (access to Commerce Inventory section). An attacker can craft malicious HTTP requests to the inventory levels endpoint, manipulating the sort[0][direction] or sort[0][sortField] parameters to inject SQL syntax. Since these values are concatenated into an ORDER BY clause, common SQL injection techniques such as subqueries, UNION-based attacks, or time-based blind injection can be employed to extract data or manipulate the database.
// Vulnerable code before patch (src/controllers/InventoryController.php)
// User input directly used without validation
$field = $sort[0]['sortField'];
$direction = $sort[0]['direction'];
if ($field && $direction) {
if ($field == 'sku') {
$field = 'purchasables.sku';
}
// Values concatenated into query without sanitization
}
Source: GitHub Commit
Detection Methods for CVE-2026-29174
Indicators of Compromise
- Unusual SQL error messages in web server logs related to inventory endpoints
- Abnormal database query patterns or execution times from the Craft Commerce application
- Unexpected data access patterns to the inventory levels table
- HTTP requests containing SQL syntax in sort[0][direction] or sort[0][sortField] parameters
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SQL injection patterns in sorting parameters
- Monitor application logs for requests to inventory endpoints with suspicious parameter values
- Enable database query logging and alert on anomalous ORDER BY clauses
- Deploy intrusion detection signatures targeting SQL injection in HTTP POST/GET parameters
Monitoring Recommendations
- Set up real-time alerting for SQL syntax characters in inventory API requests (e.g., single quotes, semicolons, UNION keywords)
- Monitor database server for unusual query execution times or error rates
- Track user activity within the Commerce Inventory section for anomalous access patterns
- Review authentication logs for compromised accounts with inventory access privileges
How to Mitigate CVE-2026-29174
Immediate Actions Required
- Upgrade Craft Commerce to version 5.5.3 or later immediately
- Review database access logs for any signs of exploitation prior to patching
- Audit user accounts with access to the Commerce Inventory section
- Consider temporarily restricting access to the inventory management feature until patched
Patch Information
Craft CMS has released version 5.5.3 of Craft Commerce which addresses this vulnerability. The fix implements strict allowlist validation for both the sorting direction and field parameters, ensuring only predefined safe values are accepted. Security patches are available via the GitHub Security Advisory GHSA-pmgj-gmm4-jh6j.
Relevant commits:
Workarounds
- Restrict access to the Commerce Inventory section to only essential administrative users
- Implement additional WAF rules to block SQL injection attempts targeting inventory endpoints
- Deploy network-level filtering to limit access to administrative Craft CMS interfaces
- Enable verbose logging on inventory-related endpoints to detect exploitation attempts
// Security patch implementation (src/controllers/InventoryController.php)
// Validates sorting inputs against allowlists
$field = $sort[0]['sortField'];
$direction = $sort[0]['direction'];
// Validate the sorting inputs
if (!in_array($direction, ['asc', 'desc']) ||
!in_array($field, [
'item',
'sku',
'reservedTotal',
'damagedTotal',
'safetyTotal',
'qualityControlTotal',
'committedTotal',
'availableTotal',
'onHandTotal',
'incomingTotal',
])) {
$field = null;
$direction = null;
}
if ($field && $direction) {
if ($field == 'sku') {
$field = 'purchasables.sku';
}
}
Source: GitHub Commit
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
