CVE-2026-32263 Overview
CVE-2026-32263 is a high-severity Object Injection vulnerability affecting Craft CMS, a popular content management system built on the Yii2 PHP framework. The vulnerability exists in src/controllers/EntryTypesController.php where the $settings array from parse_str is passed directly to Craft::configure() without proper sanitization using Component::cleanseConfig(). This allows attackers to inject Yii2 behavior and event handlers through specially crafted "as" or "on" prefixed keys, potentially leading to remote code execution.
Critical Impact
Authenticated administrators can exploit this vulnerability to inject malicious Yii2 behavior/event handlers, potentially achieving remote code execution on vulnerable Craft CMS installations.
Affected Products
- Craft CMS versions 5.6.0 to 5.9.10
- craftcms craft_cms
Discovery Timeline
- 2026-03-16 - CVE-2026-32263 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32263
Vulnerability Analysis
This vulnerability is classified as CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), a type of Object Injection flaw. The vulnerability stems from improper handling of user-controlled input in the Entry Types controller. When processing configuration settings, the controller fails to sanitize array keys that use Yii2's special prefixes ("as" for behaviors and "on" for event handlers).
The Yii2 framework's Craft::configure() method interprets keys prefixed with "as" as behavior definitions and "on" as event handler definitions. Without proper cleansing via Component::cleanseConfig(), attackers with control panel administrator access can inject arbitrary PHP class instantiations or callable references through these specially crafted keys.
Exploitation requires authenticated access to the Craft CMS control panel with administrator privileges, and the allowAdminChanges configuration option must be enabled. This represents the same attack vector identified in a previous advisory, indicating an incomplete fix in the affected version range.
Root Cause
The root cause is the direct passage of unsanitized user input from parse_str() to Craft::configure() in EntryTypesController.php. The Component::cleanseConfig() helper function, which is designed to strip dangerous "as" and "on" prefixed keys from configuration arrays, was not being called before the configuration was applied. This oversight allows specially crafted input to bypass security controls and register arbitrary behaviors or event handlers on Yii2 components.
Attack Vector
The attack is network-accessible and requires authenticated access with administrator privileges. An attacker must have valid credentials for the Craft CMS control panel and the allowAdminChanges setting must be enabled (which is the default in development environments). The attacker crafts malicious entry type settings containing "as" or "on" prefixed array keys that reference attacker-controlled PHP classes or callables. When processed by the vulnerable controller, these handlers are registered and executed, potentially allowing arbitrary code execution on the server.
// Security patch adding Component helper import
// Source: https://github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7
use craft\enums\Color;
use craft\fieldlayoutelements\entries\EntryTitleField;
use craft\helpers\ArrayHelper;
+use craft\helpers\Component;
use craft\helpers\Cp;
use craft\helpers\Html;
use craft\helpers\StringHelper;
The patch adds the Component helper import, which is then used to call Component::cleanseConfig() on the settings array before passing it to Craft::configure(), removing any dangerous "as" or "on" prefixed keys.
Detection Methods for CVE-2026-32263
Indicators of Compromise
- Unusual HTTP POST requests to entry type configuration endpoints containing "as " or "on " prefixed parameters
- Unexpected PHP errors or warnings related to class instantiation in Craft CMS logs
- Evidence of unauthorized behavior or event handler registration in application debug logs
Detection Strategies
- Monitor web application logs for suspicious requests to /admin/entry-types/ endpoints with unusual parameter names
- Implement Web Application Firewall (WAF) rules to detect and block requests containing Yii2 behavior injection patterns
- Review Craft CMS audit logs for unexpected entry type configuration changes by administrator accounts
- Deploy SentinelOne Singularity to detect and prevent malicious PHP code execution attempts
Monitoring Recommendations
- Enable verbose logging for Craft CMS control panel authentication and configuration changes
- Monitor for unexpected child processes spawned by PHP-FPM or web server processes
- Set up alerts for any modifications to entry type configurations outside of normal change windows
- Track administrator account activity for signs of account compromise or privilege abuse
How to Mitigate CVE-2026-32263
Immediate Actions Required
- Upgrade Craft CMS to version 5.9.11 or later immediately
- Review administrator account access and ensure only authorized personnel have control panel privileges
- Consider disabling allowAdminChanges in production environments if not required
- Audit recent entry type configuration changes for signs of exploitation
Patch Information
The vulnerability has been patched in Craft CMS version 5.9.11. The fix ensures that Component::cleanseConfig() is called on the settings array before it is passed to Craft::configure(), effectively removing any dangerous "as" or "on" prefixed keys that could be used for behavior/event handler injection.
For detailed patch information, refer to the GitHub Security Advisory GHSA-qx2q-q59v-wf3j and the related security fix commit.
Workarounds
- Disable allowAdminChanges in your Craft CMS configuration to prevent administrative changes via the control panel
- Restrict control panel access to trusted IP addresses only using firewall rules or .htaccess
- Implement additional authentication factors for administrator accounts
- Deploy a Web Application Firewall with rules to block requests containing Yii2 injection patterns
# Configuration example - Disable admin changes in production
# Add to config/general.php
# 'allowAdminChanges' => false,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
