CVE-2026-31858 Overview
CVE-2026-31858 is a SQL injection vulnerability in Craft CMS, an open-source content management system maintained by Pixel & Tonic. The flaw resides in the ElementSearchController::actionSearch() endpoint, which was not patched alongside the related ElementIndexesController fix delivered for CVE-2026-25495. Any authenticated control panel user, including non-administrators, can inject arbitrary SQL through criteria[where], criteria[orderBy], or related query properties. Attackers can extract full database contents using boolean-based blind injection techniques. The issue is patched in Craft CMS version 5.9.9.
Critical Impact
Authenticated low-privilege users can execute arbitrary SQL queries against the backing database, exposing credentials, session data, and stored content via blind injection.
Affected Products
- Craft CMS versions prior to 5.9.9
- Craft CMS 5.0.0
- Craft CMS 5.0.0-rc1
Discovery Timeline
- 2026-03-11 - CVE-2026-31858 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-31858
Vulnerability Analysis
The vulnerability is a classic SQL injection flaw [CWE-89] affecting the Craft CMS control panel search functionality. When the ElementSearchController::actionSearch() action receives a request, it forwards user-supplied criteria parameters directly into element query construction. The original advisory for CVE-2026-25495 introduced an unset() guard in ElementIndexesController to strip dangerous keys such as orderBy from incoming criteria arrays. That same protection was never applied to ElementSearchController, leaving an identical attack surface exposed on a parallel endpoint.
Because the request requires only an authenticated control panel session, the bar for exploitation is low in environments where editor or author accounts are provisioned broadly. Successful exploitation results in full database confidentiality and integrity loss.
Root Cause
The root cause is missing input sanitization on element criteria parameters passed to the search controller. The criteria[orderBy] and criteria[where] fields are concatenated into SQL fragments through Craft's query builder without filtering out user-controllable expressions. Unlike ElementIndexesController, the search controller did not call unset() on the unsafe keys before passing the array to the query layer.
Attack Vector
An authenticated attacker sends a crafted POST request to the element search endpoint with malicious values in criteria[orderBy] or criteria[where]. By chaining boolean conditions, the attacker infers database contents character by character through differential response analysis. No administrator role, social engineering, or user interaction is required.
// Security patch in src/controllers/ElementSearchController.php
// Fixed GHSA-g7j6-fmwx-7vp8
use craft\errors\InvalidTypeException;
use craft\helpers\Component;
use craft\helpers\Cp;
+use craft\helpers\ElementHelper;
use craft\helpers\Search;
use craft\web\Controller;
use yii\web\BadRequestHttpException;
Source: Craft CMS patch commit e1a3dd6. The patch imports ElementHelper so the controller can sanitize criteria arrays consistently with the earlier ElementIndexesController fix.
Detection Methods for CVE-2026-31858
Indicators of Compromise
- Control panel POST requests to the element search action containing SQL keywords such as SELECT, UNION, SLEEP, BENCHMARK, or CASE WHEN inside criteria[orderBy] or criteria[where] parameters.
- Unusually long or repeating sequences of search requests from a single authenticated session, indicative of blind extraction loops.
- Web server logs showing HTTP 200 responses with variable response sizes tied to small parameter mutations.
Detection Strategies
- Inspect Craft CMS access logs for requests to the actions/element-search/search route that contain encoded SQL metacharacters in criteria parameters.
- Enable database query logging and alert on element queries containing nested boolean expressions or sub-selects originating from the control panel.
- Correlate failed and successful authentications against subsequent bursts of search requests to identify abuse of low-privilege accounts.
Monitoring Recommendations
- Forward Craft CMS application logs, PHP-FPM logs, and database query logs to a centralized analytics platform for retroactive search.
- Baseline normal control panel search volume per user and alert on deviations exceeding that baseline.
- Monitor for outbound data transfers from the web tier that follow patterns of staged database extraction.
How to Mitigate CVE-2026-31858
Immediate Actions Required
- Upgrade Craft CMS to version 5.9.9 or later on all production and staging environments.
- Audit control panel user accounts and disable any inactive or unnecessary editor and author accounts.
- Rotate database credentials, API keys, and admin session secrets that may have been exposed through the affected database.
Patch Information
The vendor released the fix in Craft CMS 5.9.9. The corrective commit e1a3dd669ae31491b86ad996e88a1d30d33d9a42 adds ElementHelper usage to ElementSearchController so that unsafe criteria keys are stripped before reaching the query builder. Full details are available in the Craft CMS GHSA-g7j6-fmwx-7vp8 advisory.
Workarounds
- Restrict access to the Craft CMS control panel using IP allowlists or VPN gating until the upgrade is applied.
- Reduce the number of users holding control panel access and enforce multi-factor authentication on all remaining accounts.
- Place the control panel behind a web application firewall with rules that block SQL metacharacters inside criteria[*] parameters.
# Upgrade Craft CMS using Composer
composer require craftcms/cms:^5.9.9 --update-with-dependencies
php craft up
php craft clear-caches/all
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
