CVE-2026-32261 Overview
CVE-2026-32261 is a Server-Side Template Injection (SSTI) vulnerability in the Webhooks plugin for Craft CMS. The plugin, which enables management of webhooks to send GET or POST requests when certain events occur, renders user-supplied template content through Twig's renderString() function without sandbox protection. This allows an authenticated user with access to the Craft control panel and permissions to access the Webhooks plugin to inject Twig template code that calls arbitrary PHP functions.
Critical Impact
Authenticated attackers with Webhooks plugin access can achieve Remote Code Execution by injecting malicious Twig template code that executes arbitrary PHP functions, even when allowAdminChanges is set to false.
Affected Products
- Webhooks for Craft CMS plugin versions 3.0.0 to before 3.2.0
- Craft CMS installations with vulnerable Webhooks plugin versions
Discovery Timeline
- 2026-03-16 - CVE CVE-2026-32261 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32261
Vulnerability Analysis
This vulnerability falls under CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine). The Webhooks plugin processes user-supplied content in webhook payload templates using Twig's renderString() function without implementing sandbox restrictions. Twig, the template engine used by Craft CMS, provides powerful capabilities that can be abused when user input is processed without proper controls.
The vulnerability is particularly concerning because it bypasses the allowAdminChanges configuration setting, which is typically used in production environments to prevent administrative modifications. An authenticated user with access to the Webhooks plugin can craft malicious Twig template code within webhook configurations that, when processed, executes arbitrary PHP functions on the server.
Root Cause
The root cause is the use of renderString() instead of renderSandboxedString() when processing user-supplied payload templates. The renderString() function provides full access to Twig's capabilities, including the ability to call PHP functions through Twig's object access and filter mechanisms. Without sandbox protection, there are no restrictions on what code can be executed through the template engine.
Attack Vector
The attack vector is network-based and requires authentication to the Craft CMS control panel with permissions to access the Webhooks plugin. An attacker can:
- Access the Webhooks plugin configuration interface
- Create or modify a webhook with a malicious payload template
- Inject Twig template code that leverages Craft CMS's Twig extensions to call arbitrary PHP functions
- Trigger the webhook event to execute the malicious code
The following patch shows the security fix that replaces the vulnerable renderString() with renderSandboxedString():
if (in_array($webhook->method, ['post', 'put'], true)) {
// Build out the body data
if ($webhook->payloadTemplate) {
- $json = $view->renderString($webhook->payloadTemplate, [
+ $json = $view->renderSandboxedString($webhook->payloadTemplate, [
'event' => $e,
]);
$data = Json::decodeIfJson($json);
Source: GitHub Commit Details
Detection Methods for CVE-2026-32261
Indicators of Compromise
- Unusual webhook configurations containing Twig filter chains or object method calls
- Webhook payload templates with suspicious code patterns such as {{, {%, or references to system functions
- Unexpected outbound connections or process executions originating from Craft CMS
- Audit logs showing modifications to webhook configurations by unauthorized or suspicious users
Detection Strategies
- Monitor Craft CMS audit logs for webhook creation or modification events
- Implement file integrity monitoring on Craft CMS plugin directories
- Review webhook payload templates for suspicious Twig code patterns
- Deploy web application firewall rules to detect SSTI patterns in form submissions
Monitoring Recommendations
- Enable comprehensive logging for the Webhooks plugin and Craft CMS control panel access
- Set up alerts for webhook configuration changes, especially in production environments
- Monitor server processes for unexpected PHP execution patterns
- Implement network monitoring for unusual outbound connections from the CMS server
How to Mitigate CVE-2026-32261
Immediate Actions Required
- Upgrade the Webhooks plugin to version 3.2.0 or later immediately
- Audit existing webhook configurations for potentially malicious payload templates
- Review control panel access logs for suspicious webhook modifications
- Restrict Webhooks plugin permissions to only essential administrative users
Patch Information
The vulnerability has been patched in Webhooks plugin version 3.2.0. The fix implements Twig sandbox protection by replacing the renderString() function with renderSandboxedString() when processing webhook payload templates. Additionally, the patch updates the Craft CMS dependency requirements to versions ^4.17.0 or ^5.9.0 which include necessary sandbox infrastructure.
Detailed patch information is available in the GitHub Security Advisory GHSA-8wg7-wm29-2rvg.
Workarounds
- Temporarily disable the Webhooks plugin until the patch can be applied
- Remove Webhooks plugin access permissions from non-essential users
- Implement additional access controls at the web server level for the Craft CMS control panel
- Enable allowAdminChanges: false in production (note: this does not fully mitigate the vulnerability but reduces attack surface)
# Update Webhooks plugin via Composer
composer require craftcms/webhooks:^3.2.0
php craft migrate/all
php craft project-config/apply
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
