Craft CMS vulnerable to Remote Code Execution via validatePath bypass
Description
A post-authentication path traversal in Craft CMS allows remote code execution by bypassing validatePath with file:// URIs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A post-authentication path traversal in Craft CMS allows remote code execution by bypassing validatePath with file:// URIs.
A path validation flaw in Craft CMS (versions 3.0.0–3.8.14 and 4.0.0-RC1–4.4.14) allows authenticated users with the ALLOW_ADMIN_CHANGES=true configuration to bypass the validatePath function [1][2]. The vulnerability arises because the system paths in bootstrap.php are validated against a simple path format (/path1/path2), but a file URI scheme like file:///path1/path2 can bypass this check. The mkdir() function in PHP natively supports the file scheme, enabling the creation of directories outside the intended system paths [2].
To exploit this, an attacker must first authenticate to the Craft control panel, and the application must have ALLOW_ADMIN_CHANGES set to true. By crafting a request that uses a file:// URI instead of a standard Unix path, an attacker can write files or directories to arbitrary locations on the server filesystem [2]. This bypasses the path validation that is meant to confine operations to system directories such as config/, storage/, and templates/ [2].
The impact is remote code execution, as the attacker can place a malicious PHP file (e.g., a web shell) in a web-accessible directory and then execute it through the Craft application [1][2]. The advisory notes that this poses a serious security threat, potentially leading to full control of the vulnerable system and data exfiltration [1][2].
Both Craft CMS 3.x and 4.x lines have been patched in versions 3.8.15 and 4.4.15, respectively [1][2][3][4]. Users are strongly advised to upgrade to these or later versions. There is no workaround aside from applying the patch; however, restricting access to the control panel and disabling ALLOW_ADMIN_CHANGES where possible can reduce exposure.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.4.15 | 4.4.15 |
craftcms/cmsPackagist | >= 3.0.0, < 3.8.15 | 3.8.15 |
Affected products
2Patches
10bd33861abdcFixed a potential RCE vulnerability
2 files changed · +7 −0
CHANGELOG.md+4 −0 modified@@ -1,5 +1,9 @@ # Release Notes for Craft CMS 3.x +## Unreleased + +- Fixed an RCE vulnerability. + ## 3.8.14 - 2023-06-13 - The `_includes/forms/date` and `_includes/forms/time` templates now accept a `timeZone` variable.
src/helpers/FileHelper.php+3 −0 modified@@ -44,6 +44,9 @@ class FileHelper extends \yii\helpers\FileHelper */ public static function normalizePath($path, $ds = DIRECTORY_SEPARATOR) { + // Remove any file protocol wrappers + $path = StringHelper::removeLeft($path, 'file://'); + // Is this a UNC network share path? $isUnc = (strpos($path, '//') === 0 || strpos($path, '\\\\') === 0);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-44wr-rmwq-3phwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-40035ghsaADVISORY
- github.com/craftcms/cms/commit/0bd33861abdc60c93209cff03eeee54504d3d3b5ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/3.8.15ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/4.4.15ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-44wr-rmwq-3phwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.