Craft CMS RCE: When 'Magic' Methods Cast a Dark Spell
Jan 5, 2026·6 min read·1 visit
Executive Summary (TL;DR)
Researchers found a way to bypass previous RCE protections in Craft CMS by abusing a built-in Yii2 behavior (`AttributeTypecastBehavior`). Authenticated administrators can inject a malicious configuration array that maps system commands (like `system` or `exec`) to component attributes. When the component saves or renders, the command triggers. The fix involves recursively stripping `as` and `on` keys from configuration arrays.
An authenticated Remote Code Execution (RCE) vulnerability in Craft CMS exploits the underlying Yii2 framework's dynamic component configuration. By leveraging the 'as' and 'on' magic keys in JSON payloads, attackers can attach malicious behaviors to internal components, bypassing previous security filters to execute arbitrary system commands.
Official Patches
Fix Analysis (1)
Technical Appendix
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HAffected Systems
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Craft CMS Pixel & Tonic | < 5.8.21 | 5.8.21 |
Craft CMS Pixel & Tonic | < 4.16.17 | 4.16.17 |
| Attribute | Detail |
|---|---|
| Attack Vector | Network (Authenticated) |
| Impact | Remote Code Execution (RCE) |
| CVSS v3.1 | 8.8 (High) |
| CWE ID | CWE-502 (Deserialization of Untrusted Data) |
| Exploit Status | PoC Available / Weaponized |
| Framework | Yii2 |
MITRE ATT&CK Mapping
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Known Exploits & Detection
Vulnerability Timeline
Subscribe to updates
Get the latest CVE analysis reports delivered to your inbox.