CVE-2026-31857: Authenticated Remote Code Execution in Craft CMS via Server-Side Template Injection

Craft CMS utilizes a conditions system to manage relational condition rules for element filtering and searching within the Control Panel. This system processes dynamic strings through the Twig templating engine to resolve element IDs. A Server-Side Template Injection (SSTI) vulnerability occurs when user-supplied input is processed by this system without adequate sanitization or sandboxing.

The flaw allows authenticated users, including those with restricted roles such as Authors or Editors, to supply arbitrary Twig templates. These templates are evaluated by the backend server. Because the templates are processed in an unsandboxed environment, an attacker can invoke native PHP functions.

The vulnerability is tracked as CVE-2026-31857 and carries a CVSS 4.0 score of 8.1. It represents a significant privilege escalation vector, allowing low-privileged users to achieve full Remote Code Execution (RCE) on the underlying host infrastructure.

The vulnerability originates in the BaseElementSelectConditionRule class. This class handles relational filters, such as filtering entries that are related to specific IDs. The methods getElementId() and getElementIds() process user-supplied element ID strings to resolve relational queries.

These methods pass the element ID strings directly to Craft::$app->getView()->renderObjectTemplate(). This utility function evaluates dynamic strings containing Twig syntax. Prior to the patch, this function operated without a Twig sandbox and with auto-escaping disabled.

The absence of a sandbox grants the template full access to the Twig environment. This includes access to the global craft object and powerful template filters. Consequently, any executable code embedded within the Twig syntax is processed and executed by the PHP interpreter.

The patch remediates the vulnerability by enforcing sandboxed execution for object templates. The insecure renderObjectTemplate method call was replaced with renderSandboxedObjectTemplate.

// Vulnerable Code (src/base/conditions/BaseElementSelectConditionRule.php)
- return Craft::$app->getView()->renderObjectTemplate($elementId, $referenceElement);
 
// Patched Code
+ return Craft::$app->getView()->renderSandboxedObjectTemplate($elementId, $referenceElement);

The vendor also implemented supplementary defense-in-depth measures to prevent secondary injection vectors. A new helper method, ElementHelper::cleanseQueryCriteria(), was introduced to sanitize user-submitted criteria arrays.

// src/helpers/ElementHelper.php
public static function cleanseQueryCriteria(array $criteria): array {
    unset(
        $criteria['where'], $criteria['orderBy'], $criteria['indexBy'],
        $criteria['select'], $criteria['selectOption'], $criteria['from'],
        $criteria['groupBy'], $criteria['join'], $criteria['having'],
        $criteria['union'], $criteria['withQueries'], $criteria['params']
    );
    return $criteria;
}

This helper strips dangerous SQL-related keys before the criteria array is passed to the ElementQuery builder. This mitigates related SQL injection vulnerabilities tracked under GHSA-g7j6-fmwx-7vp8.

Exploitation requires the attacker to hold an authenticated session with access to the Control Panel. The attacker targets endpoints responsible for element indexes or saved searches, such as /index.php?p=admin/actions/element-indexes/save-index.

The attacker submits an HTTP POST request containing a maliciously crafted $criteria array. This array defines a relational condition rule where the "Element ID" template contains the Twig payload. When the backend processes this rule, the payload is executed.

Valid payloads leverage Twig filters or global objects to invoke PHP functions. For example, the payload {{ ["id"]|map("phpinfo") }} utilizes the map filter to execute the phpinfo function. Alternatively, {{craft.app.view.evaluateDynamicContent('system("whoami")')}} accesses the App instance directly to execute system commands.

Successful exploitation results in arbitrary PHP code execution within the context of the web server process. The attacker gains the ability to read sensitive files, modify the database, or establish persistent access to the host operating system.

The vulnerability circumvents standard Craft CMS production hardening configurations. Specifically, the exploit functions even when allowAdminChanges and devMode are disabled. The global enableTwigSandbox configuration does not prevent this attack because the vulnerable rendering function explicitly bypassed the sandbox.

This significantly elevates the risk profile for environments that grant Author or Editor permissions to untrusted or external users. A compromised low-privileged account can be immediately leveraged to completely compromise the application and the underlying infrastructure.

Administrators must upgrade Craft CMS deployments to version 5.9.9 or 4.17.4 to address this vulnerability. These versions enforce sandboxing within the relational condition rule processing and introduce necessary query cleansing.

If immediate patching is not feasible, organizations should restrict Control Panel access to highly trusted administrators. Auditing existing user permissions is recommended to minimize the attack surface.

Security teams can deploy Web Application Firewall (WAF) rules to detect and block common Twig SSTI patterns. Rules should inspect POST requests directed at /index.php?p=admin/actions/element-indexes/* for strings such as {{, |map, |filter, and evaluateDynamicContent.