Unauthenticated Craft CMS users can trigger a database backup
Description
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS versions 3.0.0–4.16.16 and 5.0.0-RC15.8.20 allow unauthenticated users to trigger database backups via the updater/backup endpoint, risking resource exhaustion or information disclosure.
Vulnerability
Overview
Craft CMS, a platform for building custom digital experiences, contains a vulnerability in its updater component that allows unauthenticated users to trigger database backup operations. The root cause is that all updater/* actions under BaseUpdaterController, all updater/* actions are explicitly configured to allow anonymous access via the $allowAnonymous property set to self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE` [4]. This affects versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16 [1][4].
Attack
Vector and Exploitation
An attacker can exploit this by sending an unauthenticated POST request to the endpoint /admin/actions/updater/backup [4]. No authentication or prior knowledge is required beyond the ability to reach the Craft admin interface. The backup operation executes the configured backup command, which can be triggered repeatedly by an unauthenticated user [4].
Impact
Successful exploitation can lead to resource exhaustion due to repeated backup operations consuming server resources (CPU, memory, disk I/O) or information disclosure if the backup file is stored in a publicly accessible location or can be retrieved by the attacker [1][4]. The exact impact depends on the server configuration and backup storage practices.
Mitigation
The vendor has released patched versions 5.8.21 and 4.16.17 that address the issue [1][2][4]. Craft 3 users are advised to upgrade to the latest Craft 4 or 5 releases, which include the fixes [1][4]. No workarounds are documented; updating is the recommended course of action.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.21 | 5.8.21 |
craftcms/cmsPackagist | >= 3.0.0, < 4.16.17 | 4.16.17 |
Affected products
1Patches
12 files changed · +6 −0
CHANGELOG.md+1 −0 modified@@ -8,6 +8,7 @@ - Fixed a bug where assets with disallowed file extensions could be stored in the system’s temp directory. ([#18049](https://github.com/craftcms/cms/pull/18049)) - Fixed RCE vulnerabilities. (GHSA-255j-qw47-wjh5, GHSA-742x-x762-7383) - Fixed an SSRF vulnerability. (GHSA-x27p-wfqw-hfcc) +- Fixed a DoS vulnerability. (GHSA-v64r-7wg9-23pr) ## 4.16.16 - 2025-11-18
src/controllers/UpdaterController.php+5 −0 modified@@ -69,6 +69,11 @@ public function actionForceUpdate(): Response */ public function actionBackup(): Response { + // make sure migrations are pending + if (!Craft::$app->getUpdates()->getAreMigrationsPending()) { + return $this->sendFinished(); + } + try { Craft::$app->getDb()->backup(); } catch (Throwable $e) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v64r-7wg9-23prghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-68456ghsaADVISORY
- github.com/craftcms/cms/blob/5.x/CHANGELOG.mdghsax_refsource_MISCWEB
- github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23prghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.