Platform
php
Component
craftcms/cms
Fixed in
4.0.1
5.0.1
4.17.5
CVE-2026-32264 is a Remote Code Execution (RCE) vulnerability affecting Craft CMS. This vulnerability arises from an incomplete fix addressing a previous security advisory, allowing attackers to leverage a similar gadget chain to achieve code execution. The vulnerability impacts Craft CMS versions 4.9.7 and earlier, and a fix is available in versions 4.17.5 and 5.9.11.
Successful exploitation of CVE-2026-32264 allows an attacker to execute arbitrary code on the server hosting the Craft CMS instance. This could lead to complete system compromise, including data theft, modification, or destruction. The attacker requires administrator privileges within the Craft CMS control panel and the allowAdminChanges setting must be enabled. The potential blast radius is significant, as an attacker could gain full control over the web server and potentially access sensitive data stored within the CMS or on the server itself. This vulnerability shares a similar exploitation pattern to the previously addressed advisory, suggesting that attackers may be actively seeking to exploit this oversight.
CVE-2026-32264 was publicly disclosed on March 16, 2026. The vulnerability is related to a previously disclosed advisory (GHSA-7jx7-3846-m7w7), indicating a potential for attackers to prioritize this vulnerability. No public proof-of-concept (POC) code has been publicly released as of the disclosure date, but the similarity to the previous advisory suggests a high probability of exploitation. The EPSS score is likely to be medium or high, given the RCE nature and the availability of a known exploitation technique. Check CISA KEV for updates.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
The primary mitigation for CVE-2026-32264 is to upgrade Craft CMS to version 4.17.5 or 5.9.11. If immediate upgrading is not possible, temporarily disable the allowAdminChanges setting in the Craft CMS control panel to reduce the attack surface. While not a complete solution, this can prevent the exploitation path. Consider implementing a Web Application Firewall (WAF) with rules to detect and block attempts to exploit the vulnerable gadget chain. Monitor Craft CMS logs for suspicious activity, particularly requests targeting ElementIndexesController and FieldsController. After upgrading, confirm the fix by attempting to trigger the vulnerable endpoint with valid administrator credentials and verifying that the request is denied.
Update Craft CMS to version 4.17.5 or higher, or to version 5.9.11 or higher. This will resolve the behavior injection vulnerability in ElementIndexesController and FieldsController. Ensure you have Craft control panel administrator permissions and that allowAdminChanges is enabled to apply the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32264 is a Remote Code Execution vulnerability in Craft CMS versions 4.9.7 and earlier, stemming from an incomplete fix of a previous advisory. Attackers with admin privileges can exploit it to execute code.
You are affected if you are running Craft CMS versions 4.9.7 or earlier and have administrator privileges with the allowAdminChanges setting enabled.
Upgrade Craft CMS to version 4.17.5 or 5.9.11. Temporarily disable allowAdminChanges as a workaround if upgrading is not immediately possible.
While no public exploit is currently available, the vulnerability's similarity to a previously exploited advisory suggests a high probability of exploitation.
Refer to the Craft CMS security advisory on their GitHub repository: https://github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.