CraftCMS has an RCE vulnerability via relational conditionals in the control panel
Description
Craft is a content management system (CMS). Prior to 5.9.9 and 4.17.4, a Remote Code Execution vulnerability exists in the Craft CMS 5 conditions system. The BaseElementSelectConditionRule::getElementIds() method passes user-controlled string input through renderObjectTemplate() -- an unsandboxed Twig rendering function with escaping disabled. Any authenticated Control Panel user (including non-admin roles such as Author or Editor) can achieve full RCE by sending a crafted condition rule via standard element listing endpoints. This vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings (allowAdminChanges: false, devMode: false, enableTwigSandbox: true). Users should update to the patched 5.9.9 or 4.17.4 release to mitigate the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-31857: A high-severity RCE vulnerability in Craft CMS’s conditions system lets any authenticated control panel user achieve full code execution via a crafted condition rule.
Vulnerability
Overview
CVE-2026-31857 is a Remote Code Execution (RCE) vulnerability in Craft CMS versions prior to 5.9.9 and 4.17.4. The flaw resides in the BaseElementSelectConditionRule::getElementIds() method, which passes user-controlled string input through renderObjectTemplate(), an unsandboxed Twig rendering function with escaping disabled [1][3]. This allows an attacker to inject arbitrary Twig templates that are executed on the server.
Exploitation
Details
The attack surface is the control panel’s element listing endpoints, where any authenticated user—including low-privilege roles such as Author or Editor—can submit a crafted condition rule [1][3]. No admin privileges or special permissions beyond basic control panel access are required. The vulnerability bypasses all production hardening settings, including allowAdminChanges: false, devMode: false, and enableTwigSandbox: true, because the sandbox is not applied in this code path [3].
Impact
An attacker who successfully exploits this vulnerability can achieve full remote code execution on the underlying server, potentially leading to complete compromise of the CMS installation and its data [1][3].
Mitigation
Craft CMS has released patched versions 5.9.9 and 4.17.4 that address the issue by rendering relational condition rules’ element ID templates in a sandboxed Twig environment when enableTwigSandbox is enabled [3][4]. Users should update immediately to these or later versions [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.9.9 | 5.9.9 |
craftcms/cmsPackagist | >= 4.0.0-beta.1, < 4.17.4 | 4.17.4 |
Affected products
2Patches
18d4903647dcfFixed GHSA-fp5j-j7j4-mcxc
2 files changed · +8 −1
CHANGELOG.md+7 −0 modified@@ -1,5 +1,12 @@ # Release Notes for Craft CMS 4 +## Unreleased + +> [!WARNING] +> Relational condition rules’ element ID templates are now rendered in a sandboxed Twig environment, when `enableTwigSandbox` is enabled. + +- Fixed a [high-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) RCE vulnerability. (GHSA-fp5j-j7j4-mcxc) + ## 4.17.3 - 2026-02-09 - GraphQL API requests no longer get cache response headers; only no-cache headers, and only if the request had a `X-Craft-Gql-Cache: no-cache` header, or if the request contained any mutations. ([#18348](https://github.com/craftcms/cms/issues/18348))
src/base/conditions/BaseElementSelectConditionRule.php+1 −1 modified@@ -76,7 +76,7 @@ public function getElementId(bool $parse = true): int|string|null } else { $referenceElement = new stdClass(); } - return Craft::$app->getView()->renderObjectTemplate($elementId, $referenceElement); + return Craft::$app->getView()->renderSandboxedObjectTemplate($elementId, $referenceElement); } return $this->_elementId; }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-fp5j-j7j4-mcxcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31857ghsaADVISORY
- github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxcghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.