CVE-2026-31857
Published: 11 March 2026
Description
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function…
more
with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of the RCE flaw in Craft CMS by applying patches to versions 5.9.9 or 4.17.4 as specified in the security advisory.
Requires validation and sanitization of user-controlled input to the BaseElementSelectConditionRule::getElementIds() method before unsandboxed Twig rendering to block code injection.
Enforces least privilege by restricting Control Panel access to minimal authorized users, limiting the authenticated low-privilege attack surface for this RCE.
Security SummaryAI
CVE-2026-31857 is a remote code execution (RCE) vulnerability in the Craft content management system (CMS), specifically within the Craft CMS 5 conditions system. The issue resides in the BaseElementSelectConditionRule::getElementIds() method, which passes user-controlled string input through the renderObjectTemplate() function—an unsandboxed Twig rendering mechanism with escaping disabled. It affects Craft CMS versions prior to 5.9.9 and 4.17.4, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and mapping to CWE-94 (Code Injection).
Any authenticated user with Control Panel access, including non-administrative roles such as Author or Editor, can exploit this vulnerability. Attackers send a crafted condition rule via standard element listing endpoints to trigger the vulnerable Twig rendering, achieving full RCE without requiring admin privileges or special permissions. The flaw bypasses common production hardening configurations, including allowAdminChanges set to false, devMode set to false, and enableTwigSandbox set to true.
The Craft CMS security advisory (GHSA-fp5j-j7j4-mcxc) and associated patch commit (8d4903647dcfd31b8d40ed027e27082013347a80) recommend updating to the fixed releases—Craft CMS 5.9.9 or 4.17.4—as the primary mitigation. No additional workarounds are specified in the provided references.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE vulnerability in public-facing Craft CMS web application exploitable by low-privileged authenticated users (PR:L), enabling initial access via public-facing app exploitation and privilege escalation through the vulnerability.