CVE-2026-31857 Overview
CVE-2026-31857 is a Remote Code Execution (RCE) vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists within the conditions system where the BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() — an unsandboxed Twig rendering function with escaping disabled. This allows any authenticated Control Panel user, including non-admin roles such as Author or Editor, to achieve full remote code execution by sending a crafted condition rule via standard element listing endpoints.
Critical Impact
Authenticated users with basic Control Panel access can execute arbitrary code on the server, bypassing all production hardening settings including allowAdminChanges: false, devMode: false, and enableTwigSandbox: true.
Affected Products
- Craft CMS versions prior to 5.9.9
- Craft CMS versions prior to 4.17.4
Discovery Timeline
- 2026-03-11 - CVE-2026-31857 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-31857
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly referred to as Code Injection. The flaw resides in how Craft CMS processes element selection condition rules within its conditions system. The BaseElementSelectConditionRule::getElementIds() method accepts user-controlled input and passes it directly to renderObjectTemplate(), which performs Twig template rendering without sandboxing or proper escaping.
The critical aspect of this vulnerability is that it requires no administrative privileges — any authenticated user with basic Control Panel access can exploit it. Furthermore, the vulnerability bypasses all production hardening configurations, making even properly secured Craft CMS installations susceptible to attack.
Root Cause
The root cause is the use of an unsandboxed Twig rendering function (renderObjectTemplate()) to process user-controlled input in the BaseElementSelectConditionRule class. The function renders Twig templates without enabling the security sandbox, allowing attackers to inject and execute arbitrary Twig code that can be leveraged for server-side code execution.
Attack Vector
The attack is network-based and requires authentication to the Craft CMS Control Panel. An attacker with any level of Control Panel access (Author, Editor, or similar roles) can craft a malicious condition rule payload and submit it through standard element listing endpoints. The payload is processed by the vulnerable getElementIds() method, which renders the attacker-controlled input as a Twig template, resulting in arbitrary code execution on the server.
// Vulnerable code path (before patch)
// src/base/conditions/BaseElementSelectConditionRule.php
} else {
$referenceElement = new stdClass();
}
- return Craft::$app->getView()->renderObjectTemplate($elementId, $referenceElement);
+ return Craft::$app->getView()->renderSandboxedObjectTemplate($elementId, $referenceElement);
}
return $this->_elementId;
}
Source: GitHub Commit Reference
The fix replaces the unsandboxed renderObjectTemplate() call with renderSandboxedObjectTemplate(), ensuring that user-controlled input is processed within Twig's security sandbox.
Detection Methods for CVE-2026-31857
Indicators of Compromise
- Unusual or malformed requests to element listing endpoints containing Twig template syntax (e.g., {{ }} or {% %})
- Unexpected process spawning or system command execution from the web server process
- Anomalous file system modifications or creation of new files outside expected Craft CMS directories
- Authentication logs showing non-admin users accessing element condition endpoints with unusual payloads
Detection Strategies
- Monitor web application logs for requests containing Twig template injection patterns in condition rule parameters
- Implement Web Application Firewall (WAF) rules to detect and block Server-Side Template Injection (SSTI) payloads
- Enable and review Craft CMS application logs for unusual template rendering errors or exceptions
- Deploy endpoint detection to identify unexpected child processes spawned by the web server
Monitoring Recommendations
- Establish baseline behavior for Control Panel users and alert on deviations in endpoint access patterns
- Configure real-time alerting for any execution of system commands from the PHP process context
- Review and audit all non-admin user accounts with Control Panel access
- Implement file integrity monitoring on critical server directories
How to Mitigate CVE-2026-31857
Immediate Actions Required
- Update Craft CMS to version 5.9.9 or 4.17.4 immediately to apply the security patch
- Audit Control Panel access logs for any suspicious activity from authenticated users
- Review and restrict Control Panel access to only essential personnel until patching is complete
- Consider temporarily disabling non-admin Control Panel access if immediate patching is not possible
Patch Information
The vulnerability has been addressed in Craft CMS versions 5.9.9 and 4.17.4. The patch modifies the BaseElementSelectConditionRule::getElementIds() method to use renderSandboxedObjectTemplate() instead of the unsandboxed renderObjectTemplate() function. For detailed patch information, refer to the GitHub Security Advisory and the commit implementing the fix.
Workarounds
- Restrict Control Panel access to trusted IP addresses using firewall rules or .htaccess configuration
- Temporarily revoke Control Panel access for non-essential users until patching is complete
- Implement additional authentication layers (e.g., VPN requirement) for Control Panel access
- Deploy WAF rules to filter potential SSTI payloads targeting element listing endpoints
# Example: Restrict Craft CMS Control Panel access by IP in nginx
location /admin {
allow 192.168.1.0/24; # Trusted internal network
allow 10.0.0.50; # Specific admin IP
deny all;
try_files $uri $uri/ /index.php?$query_string;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
