CVE-2026-41887 Overview
Flarum is open-source forum software written in PHP. CVE-2026-41887 affects Flarum versions prior to 1.8.16 and 2.0.0-rc.1. The vulnerability stems from an incomplete fix for CVE-2023-27577. The original patch restricted @import and data-uri() LESS features in the custom_less setting but failed to apply the same restriction to other settings registered as LESS configuration variables. An authenticated administrator can inject a malicious @import directive through settings such as theme_primary_color, enabling local file inclusion (LFI) or server-side request forgery (SSRF) [CWE-22].
Critical Impact
Authenticated administrators can read arbitrary files reachable by the PHP process or trigger outbound HTTP(S) requests from the server, exposing internal services and sensitive filesystem contents.
Affected Products
- Flarum versions prior to 1.8.16
- Flarum 2.x versions prior to 2.0.0-rc.1
- Any Flarum extension registering settings via Extend\Settings::registerLessConfigVar()
Discovery Timeline
- 2026-05-08 - CVE-2026-41887 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41887
Vulnerability Analysis
Flarum compiles forum styles from LESS source at runtime. Administrator-controlled settings registered as LESS config variables are interpolated verbatim into that source before compilation. The original CVE-2023-27577 patch only screened the custom_less setting for the @import and data-uri() directives. Other settings registered through Extend\Settings::registerLessConfigVar() such as theme_primary_color and theme_secondary_color bypassed validation entirely.
When a crafted value reaches the LESS compiler, the parser honors @import (inline) '<path>'. The directive accepts both local file paths and remote URLs. This allows an attacker to read files accessible to the PHP process or initiate outbound requests to arbitrary hosts. The compiled output forum.css exposes the loaded content directly to anyone who can fetch the stylesheet.
Root Cause
The root cause is incomplete input validation in framework/core/src/Forum/ValidateCustomLess.php. The validation regex /@import|data-uri\s*\(/i was applied only to custom_less. Other LESS-bound settings were treated as trusted strings and concatenated into the compilation context without sanitization.
Attack Vector
Exploitation requires authenticated administrator access. The attacker submits a malicious value through the admin appearance configuration, supplying a payload such as red; @import (inline) '/etc/passwd'; to a registered LESS variable. On the next style compilation, the LESS parser dereferences the import and embeds the file contents or remote response into forum.css. The attacker then retrieves the compiled CSS to extract data or pivot to internal HTTP endpoints.
return;
}
- // Restrict what features can be used in custom LESS
- if (isset($event->settings['custom_less']) && preg_match('/@import|data-uri\s*\(/i', $event->settings['custom_less'])) {
- $translator = $this->container->make(TranslatorInterface::class);
+ // Restrict what features can be used in custom LESS. This applies to
+ // the `custom_less` setting as well as any setting registered as a
+ // LESS config variable (e.g. `theme_primary_color`), since those
+ // values are interpolated directly into the LESS source.
+ $lessFeatureKeys = array_merge(
+ isset($event->settings['custom_less']) ? ['custom_less'] : [],
+ array_intersect(
+ array_keys($event->settings),
+ array_column($this->customLessSettings, 'key')
+ )
+ );
+
+ foreach ($lessFeatureKeys as $key) {
+ if (is_string($event->settings[$key]) && preg_match('/@import|data-uri\s*\(/i', $event->settings[$key])) {
+ $translator = $this->container->make(TranslatorInterface::class);
- throw new ValidationException([
- 'custom_less' => $translator->trans('core.admin.appearance.custom_styles_cannot_use_less_features')
- ]);
+ throw new ValidationException([
+ $key => $translator->trans('core.admin.appearance.custom_styles_cannot_use_less_features')
+ ]);
+ }
+ }
Source: Flarum framework commit 2d90a1f1
Detection Methods for CVE-2026-41887
Indicators of Compromise
- Unexpected @import or data-uri( substrings present in any setting row of the Flarum database settings table, especially keys like theme_primary_color or theme_secondary_color.
- Outbound HTTP(S) requests originating from the PHP-FPM or web server process to attacker-controlled hosts during LESS compilation events.
- Contents of sensitive local files (for example /etc/passwd, .env, or application secrets) appearing inside the published forum.css asset.
- Audit log entries showing administrator updates to color or theme settings that contain unexpected punctuation, semicolons, or quoted paths.
Detection Strategies
- Search the compiled forum.css and the assets/ directory for @import directives or fragments of filesystem content that should not appear in stylesheets.
- Query the settings table for any value matching the regex /@import|data-uri\s*\(/i across all keys, not only custom_less.
- Correlate administrator login events with subsequent settings changes and unusual outbound network connections from the application host.
Monitoring Recommendations
- Enable egress filtering on the application server and alert on connections to hosts not on an allowlist of CDN, package, and update endpoints.
- Log every change to Flarum settings through the admin API and forward events to a centralized log store for review.
- Monitor PHP file access syscalls for reads of sensitive paths originating from the LESS compilation process.
How to Mitigate CVE-2026-41887
Immediate Actions Required
- Upgrade Flarum to version 1.8.16 or 2.0.0-rc.1 without delay.
- Audit the settings table for any prior injection of @import or data-uri() payloads and revert affected values.
- Rotate any credentials, API keys, or tokens stored in files readable by the web server, since they may have been exfiltrated through the compiled CSS.
- Review administrator accounts and revoke access for any unrecognized or stale users.
Patch Information
Flarum addressed the issue in v1.8.16 and v2.0.0-rc.1. The fix extends the existing @import and data-uri() filter to every setting registered as a LESS configuration variable. Full technical context is available in the GitHub Security Advisory GHSA-xjvc-pw2r-6878.
Workarounds
- Restrict administrator access to a minimum set of trusted accounts and enforce strong multi-factor authentication on each.
- Manually validate that no LESS-bound setting in the database contains @import or data-uri( substrings until the patch is applied.
- Run the PHP process under a least-privilege filesystem context that cannot read application secrets or other sensitive files.
- Block outbound network access from the web server to internal cloud metadata endpoints such as 169.254.169.254 to limit SSRF impact.
# Upgrade Flarum via Composer to the fixed release
composer require flarum/core:^1.8.16
php flarum cache:clear
php flarum migrate
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
