GHSA-2FPH-6V5W-89HH

Vulnerability from github – Published: 2026-03-24 16:50 – Updated: 2026-03-25 20:59
VLAI?
Summary
Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior
Details

Summary

A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.

The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (as and on prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain.

Impact

  • Attack Type: Remote Code Execution (RCE)
  • Authentication Required: Authenticated user with control panel access (accessCp permission)

Vulnerability Details

Root Cause

In ElementIndexesController::actionFilterHud() (line 493-494), the fieldLayouts body parameter is passed to FieldLayout::createFromConfig() without cleanseConfig():

// ElementIndexesController.php:485-494
if ($conditionConfig) {
    $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed
    $condition = $conditionsService->createCondition($conditionConfig);
} else {
    $condition = $this->elementType()::createCondition();
}

if (!empty($fieldLayouts)) {
    // fieldLayouts is NOT cleansed!
    $condition->setFieldLayouts(array_map(
        fn(array $config) => FieldLayout::createFromConfig($config),
        $fieldLayouts
    ));
}

Note the inconsistency: conditionConfig is sanitized with cleanseConfig(), but fieldLayouts is not.

Attack Chain

  1. Send a fieldLayouts array containing config with "as <name>" prefixed keys
  2. FieldLayout::createFromConfig($config) -> new self($config) -> Model::__construct($config)
  3. App::configure($this, $config) processes each key
  4. "as rce" key -> Component::__set("as rce", $value) -> Yii::createObject($value) -> instantiates AttributeTypecastBehavior and attaches it to the FieldLayout
  5. "on *" key -> registers a wildcard event handler
  6. parent::__construct() -> init() -> setTabs([]) -> getAvailableNativeFields() -> trigger(EVENT_DEFINE_NATIVE_FIELDS)
  7. The wildcard handler fires -> AttributeTypecastBehavior::beforeSave() -> typecastAttributes()
  8. $this->owner->typecastBeforeSave -> resolved via Component::__get() -> returns the command string from the behavior's own property
  9. call_user_func([ConsoleProcessus::class, 'execute'], $command) -> shell_exec($command)

Prerequisites

  • A user account with control panel access
Severity ?
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.9.12"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "craftcms/cms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.6.0"
            },
            {
              "fixed": "5.9.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-24T16:50:42Z",
    "nvd_published_at": "2026-03-24T18:16:09Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nA Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access.\n\nThe existing patches add `cleanseConfig()` to `assembleLayoutFromPost()` and various `FieldsController` actions to strip Yii2 behavior/event injection keys (`as ` and `on ` prefixed keys). However, the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` is passed directly to `FieldLayout::createFromConfig()` without any sanitization, enabling the same behavior injection attack chain.\n\n## Impact\n\n- **Attack Type**: Remote Code Execution (RCE)\n- **Authentication Required**: Authenticated user with control panel access (`accessCp` permission)\n\n## Vulnerability Details\n\n### Root Cause\n\nIn `ElementIndexesController::actionFilterHud()` (line 493-494), the `fieldLayouts` body parameter is passed to `FieldLayout::createFromConfig()` without `cleanseConfig()`:\n\n```php\n// ElementIndexesController.php:485-494\nif ($conditionConfig) {\n    $conditionConfig = Component::cleanseConfig($conditionConfig); // conditionConfig IS cleansed\n    $condition = $conditionsService-\u003ecreateCondition($conditionConfig);\n} else {\n    $condition = $this-\u003eelementType()::createCondition();\n}\n\nif (!empty($fieldLayouts)) {\n    // fieldLayouts is NOT cleansed!\n    $condition-\u003esetFieldLayouts(array_map(\n        fn(array $config) =\u003e FieldLayout::createFromConfig($config),\n        $fieldLayouts\n    ));\n}\n```\n\nNote the inconsistency: `conditionConfig` is sanitized with `cleanseConfig()`, but `fieldLayouts` is not.\n\n### Attack Chain\n\n1. Send a `fieldLayouts` array containing config with `\"as \u003cname\u003e\"` prefixed keys\n2. `FieldLayout::createFromConfig($config)` -\u003e `new self($config)` -\u003e `Model::__construct($config)`\n3. `App::configure($this, $config)` processes each key\n4. `\"as rce\"` key -\u003e `Component::__set(\"as rce\", $value)` -\u003e `Yii::createObject($value)` -\u003e instantiates `AttributeTypecastBehavior` and attaches it to the FieldLayout\n5. `\"on *\"` key -\u003e registers a wildcard event handler\n6. `parent::__construct()` -\u003e `init()` -\u003e `setTabs([])` -\u003e `getAvailableNativeFields()` -\u003e `trigger(EVENT_DEFINE_NATIVE_FIELDS)`\n7. The wildcard handler fires -\u003e `AttributeTypecastBehavior::beforeSave()` -\u003e `typecastAttributes()`\n8. `$this-\u003eowner-\u003etypecastBeforeSave` -\u003e resolved via `Component::__get()` -\u003e returns the command string from the behavior\u0027s own property\n9. `call_user_func([ConsoleProcessus::class, \u0027execute\u0027], $command)` -\u003e `shell_exec($command)`\n\n### Prerequisites\n\n- A user account with control panel access",
  "id": "GHSA-2fph-6v5w-89hh",
  "modified": "2026-03-25T20:59:38Z",
  "published": "2026-03-24T16:50:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/security/advisories/GHSA-2fph-6v5w-89hh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33157"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/commit/97e90b4bdee369c1af3ca77a77531132df240e4e"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-255j-qw47-wjh5"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-7jx7-3846-m7w7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/craftcms/cms"
    },
    {
      "type": "WEB",
      "url": "https://github.com/craftcms/cms/releases/tag/5.9.13"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.