CVE-2026-44011 Overview
Craft CMS contains an input-handling flaw in its Yii object creation path that allows authenticated users to inject malicious configuration and execute arbitrary commands on the server. The vulnerability affects Craft CMS versions from 4.0.0 to versions before 4.17.12 and 5.9.18. Request-controlled condition field layout data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys take effect during object creation, and FieldLayout initialization triggers a same-request event that leads to remote code execution (RCE). The flaw is tracked under [CWE-479] and is fixed in versions 4.17.12 and 5.9.18.
Critical Impact
Any authenticated user can achieve arbitrary command execution on the underlying server, fully compromising confidentiality, integrity, and availability of the Craft CMS host.
Affected Products
- Craft CMS versions 4.0.0 through 4.17.11
- Craft CMS versions 5.0.0 through 5.9.17
- Fixed in Craft CMS 4.17.12 and 5.9.18
Discovery Timeline
- 2026-05-12 - CVE-2026-44011 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44011
Vulnerability Analysis
The vulnerability resides in Craft CMS controllers that process condition configuration data submitted by authenticated users. The controllers pass user-supplied arrays directly into Craft::$app->getConditions()->createCondition($conditionConfig) without sanitizing reserved configuration keys. Yii's object creation pattern applies configuration values to the instance before parent::__construct() runs, so attacker-controlled keys influence object state during initialization. When the resulting FieldLayout object initializes, it dispatches a same-request event whose handler can be hijacked to execute arbitrary PHP, yielding command execution as the web server user.
Root Cause
The root cause is a missing call to Component::cleanseConfig() on the $conditionConfig array prior to object instantiation. Without that boundary, dangerous keys such as as behaviors or on event survive into the Yii configurator and are interpreted as behaviors and event handlers. This is a classic unsafe-reflection pattern in Yii applications, mapped to [CWE-479] (Signal Handler Use of a Non-reentrant Function / Unsafe Component Behavior).
Attack Vector
An authenticated user submits a crafted condition payload to an element index settings endpoint. The payload embeds Yii configuration keys that attach a malicious behavior or event handler to the FieldLayout object. Object construction triggers the handler in the same request, executing attacker-supplied commands on the server.
// Patch in src/controllers/ElementIndexesController.php
if (is_array($conditionConfig)) {
$conditionConfig = Component::cleanseConfig($conditionConfig);
}
$condition = Craft::$app->getConditions()->createCondition($conditionConfig);
if ($condition instanceof ElementCondition) {
// Source: https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
The patch inserts Component::cleanseConfig() to strip reserved keys before the condition object is created, closing the unsafe reflection path.
Detection Methods for CVE-2026-44011
Indicators of Compromise
- HTTP POST requests to Craft CMS element index or condition endpoints containing JSON keys such as as behaviors, on , or class inside condition configuration payloads.
- Web server processes (php-fpm, apache2, nginx worker) spawning child processes like sh, bash, curl, wget, or python shortly after authenticated admin requests.
- New or modified PHP files in Craft's web/, templates/, or storage/runtime/ directories without a corresponding deployment event.
Detection Strategies
- Inspect application logs for requests to controllers handling conditionConfig parameters from non-administrative accounts.
- Correlate authenticated session activity with subsequent outbound network connections from the web server process.
- Hunt for unexpected behaviors registered on Craft component classes by reviewing recent changes to project config and field layout records.
Monitoring Recommendations
- Enable verbose request logging on the Craft control panel and ship logs to a centralized analytics platform for retention and querying.
- Alert on web server processes executing shell utilities, a behavior that is rare in normal PHP application workloads.
- Monitor file integrity on the Craft webroot to detect dropped webshells or unauthorized template modifications.
How to Mitigate CVE-2026-44011
Immediate Actions Required
- Upgrade Craft CMS to 4.17.12 or 5.9.18 immediately on all affected installations.
- Audit user accounts and revoke unnecessary authenticated access until the patch is applied, since exploitation requires only high-privilege authenticated users on some flows and any authenticated user on others.
- Review web server and PHP-FPM logs for the indicators listed above covering the period since 4.0.0 was deployed.
Patch Information
The fix is published in the Craft CMS Security Advisory GHSA-qrgm-p9w5-rrfw and implemented in GitHub commit ab85ca7. The patch routes condition configuration arrays through Component::cleanseConfig() in both ElementIndexesController and ElementIndexSettingsController before passing them to createCondition().
Workarounds
- Restrict access to the Craft control panel using network ACLs or VPN until the upgrade is completed.
- Disable or reduce permissions for user groups that can edit element sources or field layouts.
- Deploy a web application firewall rule to block requests containing Yii configuration keys such as as behaviors or on inside JSON bodies targeting condition endpoints.
# Upgrade Craft CMS via Composer to a fixed release
composer require craftcms/cms:^5.9.18 --update-with-dependencies
# Or for the 4.x branch
composer require craftcms/cms:^4.17.12 --update-with-dependencies
php craft up
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
