CVE-2026-32264 Overview
Craft CMS, a popular content management system used by developers and digital agencies, contains a critical Behavior injection vulnerability that enables Remote Code Execution (RCE). The vulnerability exists in the ElementIndexesController and FieldsController components, affecting Craft CMS versions from 4.0.0-RC1 to before 4.17.5 and from 5.0.0-RC1 to before 5.9.11.
This vulnerability requires the attacker to have Craft control panel administrator permissions and the allowAdminChanges configuration option must be enabled. While these prerequisites limit the attack surface, successful exploitation allows an authenticated administrator to execute arbitrary code on the underlying server, potentially leading to complete system compromise.
Critical Impact
Authenticated administrators can leverage behavior injection in ElementIndexesController and FieldsController to achieve remote code execution, potentially compromising the entire web server and underlying infrastructure.
Affected Products
- Craft CMS versions 4.0.0-RC1 through 4.17.4
- Craft CMS versions 5.0.0-RC1 through 5.9.10
- All Craft CMS installations with allowAdminChanges enabled
Discovery Timeline
- 2026-03-16 - CVE-2026-32264 published to NVD
- 2026-03-17 - Last updated in NVD database
Technical Details for CVE-2026-32264
Vulnerability Analysis
This vulnerability is classified as CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), commonly known as behavior injection or unsafe reflection. The flaw exists in how Craft CMS processes configuration data within two critical controllers: ElementIndexesController and FieldsController.
The root cause lies in insufficient sanitization of user-controlled configuration arrays before they are passed to component instantiation methods. In PHP applications like Craft CMS, configuration arrays that specify class names or behavior definitions can be manipulated by attackers to instantiate arbitrary classes or execute malicious code when the framework attempts to configure components based on these arrays.
The vulnerability is exploitable over the network without requiring user interaction, though it does require high privileges (administrator access). Successful exploitation grants attackers complete control over the confidentiality, integrity, and availability of the affected system, enabling them to execute arbitrary commands, steal sensitive data, modify content, or deploy persistent backdoors.
Root Cause
The vulnerability stems from improper input validation when processing serialized condition configurations and field settings. The ElementIndexesController failed to properly sanitize condition configurations before creating condition objects, while the FieldsController did not cleanse settings before applying them via Craft::configure(). This allowed attackers to inject malicious class references or behavior definitions that would be executed during object instantiation.
Attack Vector
The attack is network-based and targets the Craft CMS control panel endpoints. An attacker with administrator credentials can craft malicious requests to the affected controllers, injecting specially crafted configuration data that specifies arbitrary classes or code to be executed. The attack requires:
- Valid administrator credentials for the Craft CMS control panel
- The allowAdminChanges configuration option must be set to true
- Network access to the Craft CMS admin panel endpoints
The following patch shows how the vulnerability was addressed in ElementIndexesController.php:
$conditionsService = Craft::$app->getConditions();
+ if (!$conditionConfig && $serialized) {
+ parse_str($serialized, $conditionConfig);
+ $conditionConfig = $conditionConfig['condition'];
+ }
+
if ($conditionConfig) {
$conditionConfig = Component::cleanseConfig($conditionConfig);
/** @var ElementConditionInterface $condition */
$condition = $conditionsService->createCondition($conditionConfig);
- } elseif ($serialized) {
- parse_str($serialized, $conditionConfig);
- /** @var ElementConditionInterface $condition */
- $condition = $conditionsService->createCondition($conditionConfig['condition']);
} else {
- /** @var ElementConditionInterface $condition */
$condition = $this->elementType()::createCondition();
}
Source: GitHub Commit
The fix ensures that Component::cleanseConfig() is called on all condition configurations before they are passed to createCondition(), preventing malicious class injection.
Similarly, the FieldsController.php was patched:
}
}, ARRAY_FILTER_USE_KEY);
+ $settings = Component::cleanseConfig($settings);
Typecast::properties($type, $settings);
Craft::configure($field, $settings);
}
Source: GitHub Commit
Detection Methods for CVE-2026-32264
Indicators of Compromise
- Unusual POST requests to /admin/element-indexes/* or /admin/fields/* endpoints containing serialized data with unexpected class references
- Web server logs showing malformed condition configurations or field settings with injected class names
- Unexpected PHP processes spawned by the web server user after admin panel interactions
- File system changes or new files created in unexpected locations following administrative actions
Detection Strategies
- Monitor HTTP request bodies to Craft CMS admin endpoints for suspicious class names or behavior injection patterns
- Implement Web Application Firewall (WAF) rules to detect serialized PHP object injection attempts
- Enable detailed application logging and audit all administrative actions within Craft CMS
- Deploy file integrity monitoring on the Craft CMS installation directory to detect unauthorized modifications
Monitoring Recommendations
- Configure alerting for any requests to the affected controller endpoints that contain unusual parameters or serialized data
- Review administrator access logs regularly for accounts accessing element indexes or field configuration endpoints
- Implement runtime application self-protection (RASP) to detect and block behavior injection attempts
- Monitor system process creation events for child processes spawned by the PHP runtime in the context of web requests
How to Mitigate CVE-2026-32264
Immediate Actions Required
- Upgrade Craft CMS to version 4.17.5 or later for version 4.x installations
- Upgrade Craft CMS to version 5.9.11 or later for version 5.x installations
- Set allowAdminChanges to false in production environments as an immediate mitigation if patching is delayed
- Audit administrator accounts and remove unnecessary administrative access
- Review recent administrative activity logs for signs of exploitation
Patch Information
Craft CMS has released security patches addressing this vulnerability. The fixes are included in versions 4.17.5 and 5.9.11. Organizations should apply the appropriate patch based on their Craft CMS version branch.
Detailed information about the vulnerability and patches can be found in the GitHub Security Advisory GHSA-4484-8v2f-5748 and GitHub Security Advisory GHSA-7jx7-3846-m7w7.
Workarounds
- Disable allowAdminChanges in production by setting it to false in your config/general.php file
- Restrict access to the Craft CMS control panel using IP allowlisting at the network or web server level
- Implement additional authentication factors for administrator accounts
- Deploy a Web Application Firewall with rules to block serialized object injection patterns
# Configuration example - Disable allowAdminChanges in config/general.php
# Add or modify the following setting:
'allowAdminChanges' => false,
# Or use environment-based configuration:
'allowAdminChanges' => App::env('CRAFT_ALLOW_ADMIN_CHANGES') ?? false,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
