CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-55792

CVE-2026-55792: Sensitive File Disclosure in Craft CMS via Twig Sandbox Bypass

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 6, 2026·6 min read·4 visits

Executive Summary (TL;DR)

Low-privileged users with template customizer access can read sensitive local files like `.env` using a sandbox bypass, leading to full database credential and security key compromise.

CVE-2026-55792 represents a sensitive file disclosure vulnerability in Craft CMS. The issue arises from the inclusion of the `dataUrl()` function in the Twig sandbox allowlist combined with incomplete path validation inside the underlying helper method. Attackers with low-privileged control panel access can exploit this flaw to read and exfiltrate the `.env` configuration file.

Vulnerability Overview

Craft CMS incorporates a template-rendering pipeline driven by the Twig template engine. To permit restricted site administrators or users with specific administrative delegation to construct localized system messages or transactional notifications, the application implements a dedicated Twig sandbox environment. This sandbox is strictly governed by an allowlist that evaluates functions, filters, and tags before execution.\n\nIn vulnerable configurations of Craft CMS, the utility function dataUrl() was registered as an allowable function within the sandbox definition context. The intended use of this helper is to allow the rendering of visual assets, such as brand logos, by encoding them directly into the output content of transactional emails. The vulnerability lies in the fact that the underlying helper implementation did not sufficiently restrict file resolution paths, thereby opening a vector for arbitrary file disclosure.\n\nAn authenticated user with the utility:system-messages permission can exploit this exposure. By inserting a reference to sensitive local files inside a customized template, the attacker forces the system to serialize the files and render them as inline assets. The severity is high because this mechanism completely bypasses typical web server document root limitations.

Root Cause Analysis

The root cause of CVE-2026-55792 is situated within the validation logic of the craft\\helpers\\Html::dataUrl() method combined with its presence in the sandbox allowlist. When Twig processes the sandboxed function, it maps directly to this static helper. The developer's intention was to restrict the function to non-sensitive assets residing within the application directory.\n\nTo enforce this restriction, the helper evaluated paths against three primary defensive boundaries. First, it checked if the target file path resolved within the project's root filesystem structure. Second, it executed directory containment checks to verify that the file was not located inside critical subdirectories such as config/, vendor/, storage/, or templates/. Third, it restricted the reading of any file carrying a .php file extension to prevent source code exposure.\n\nThis validation model failed to account for files that do not possess a standard extension and are positioned at the top level of the project root. The .env environment file resides directly in the root directory, placing it outside the blacklist of specific subdirectories. Furthermore, because it utilizes a dotfile format without a .php suffix, it completely evades the extension blacklist. The validation logic consequently validates the path as safe and proceeds to call PHP's file_get_contents() function.

Code Analysis

Analyzing the vulnerable code path reveals how the path validation logic allows dotfiles to pass unchecked. The following code snippet demonstrates the vulnerability in src/helpers/Html.php and the subsequent patch introduced to address the flaw:\n\nphp\n// VULNERABLE IMPLEMENTATION\npublic static function dataUrl(string $path, ?string $mimeType = null): string\n{\n $resolvedPath = FileHelper::resolvePath($path);\n \n if (self::isRestrictedDirectory($resolvedPath) || str_ends_with($resolvedPath, '.php')) {\n throw new InvalidArgumentException('Access denied to specified file.');\n }\n \n $content = file_get_contents($resolvedPath);\n return 'data:' . $mimeType . ';base64,' . base64_encode($content);\n}\n\n\nThe corresponding patch alters the behavior by removing dataUrl() from the Twig sandbox completely and introducing strict extension validations. Below is the updated validation architecture implemented in the patch:\n\nphp\n// PATCHED IMPLEMENTATION\npublic static function dataUrl(string $path, ?string $mimeType = null): string\n{\n $resolvedPath = FileHelper::resolvePath($path);\n $basename = basename($resolvedPath);\n \n if (\n str_starts_with($basename, '.') ||\n self::isRestrictedDirectory($resolvedPath) ||\n !self::isAllowedExtension($resolvedPath)\n ) {\n throw new InvalidArgumentException('Access to the requested file is prohibited.');\n }\n \n $content = file_get_contents($resolvedPath);\n return 'data:' . $mimeType . ';base64,' . base64_encode($content);\n}\n\n\nmermaid\ngraph LR\n A["Twig Template Evaluation"] --> B{"Is dataUrl Allowed?"}\n B -- "Yes (Vulnerable)" --> C["Evaluate Path"]\n B -- "No (Patched)" --> H["Block Execution"]\n C --> D{"Is in config/ or vendor/?"}\n D -- "No" --> E{"Does it end in .php?"}\n E -- "No" --> F["file_get_contents('.env')"]\n F --> G["Base64 Encode & Exfiltrate"]\n\n\nAdditionally, the patch removes the registration of dataUrl from the twig-sandbox.php configuration file. This multi-layered remediation ensures that even if the helper's internal validation were bypassed in future iterations, the function is no longer accessible inside sandboxed Twig contexts.

Exploitation Methodology

Exploitation of CVE-2026-55792 requires low-privileged administrative access. Specifically, the target user session must possess the utility:system-messages permission, which authorizes the customization of system transactional emails. The attacker leverages this level of access to embed malicious templates directly into the application database.\n\nOnce logged into the control panel, the attacker navigates to the System Messages utility. By selecting an active template, such as the user registration or password reset message, the attacker appends the payload {{ dataUrl('.env') }} inside a hidden HTML tag or within the readable message body. Saving this template commits the payload to the database.\n\nTo trigger exfiltration, the attacker executes the transaction associated with the edited template. If the password reset template was modified, the attacker requests a password reset for any registered email. The backend task runner processes the request, renders the Twig template, reads the .env configuration file, encodes the content, and delivers the email to the recipient mailbox. The attacker decodes the resulting base64 payload to access cleartext credentials.

Impact Assessment

The security impact of successful exploitation is critical, as it exposes the entire application configuration layer. The .env file containing database credentials, mail server settings, and system-wide secrets is read in its entirety. This results in complete exposure of sensitive application datastores.\n\nMost significantly, the exfiltration of the CRAFT_SECURITY_KEY facilitates immediate privilege escalation. This key is used by the framework to sign security cookies, validate session tokens, and sign CSRF payloads. Armed with the CRAFT_SECURITY_KEY, an attacker can forge administrative cookies locally, authenticate as a super-administrator, and execute arbitrary commands or install malicious plugins, leading to full host compromise.\n\nBecause the template rendering occurs on the server side, firewalls and external network defenses are bypassed. The attack relies entirely on legitimate internal application pathways to exfiltrate the data. Consequently, standard network-level intrusion detection systems will not flag the transaction as anomalous.

Remediation and Defense

Remediation requires upgrading Craft CMS to version 4.18.0 or 5.10.0 depending on the active deployment track. These updates remove the dataUrl helper from the default Twig sandbox configuration and add robust validation checks to the underlying PHP class. Upgrades should be executed via Composer using standard dependency management workflows.\n\nIf upgrading cannot be executed immediately, administrators must manually mitigate the risk. The primary workaround is to revoke the utility:system-messages permission from all users who do not have absolute administrative trust. This cuts off the initial entry point required to inject the malicious Twig string.\n\nAdditionally, administrators can override the default sandbox configuration. By modifying the local config/twig-sandbox.php file, developers can explicitly remove dataUrl from the allowed functions array. Regular database audits should be conducted on the systemmessages table to ensure no unexpected template modifications exist.

Technical Appendix

CVSS Score
6.0/ 10
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
EPSS Probability
0.27%
Top 82% most exploited

Affected Systems

Craft CMS 4.xCraft CMS 5.x

Affected Versions Detail

Product
Affected Versions
Fixed Version
Craft CMS
craftcms
>= 4.0.0-RC1, < 4.18.04.18.0
Craft CMS
craftcms
>= 5.0.0-RC1, < 5.10.05.10.0
AttributeDetail
CWE IDCWE-200
Attack VectorNetwork
CVSS 4.0 Score6.0
EPSS Score0.00268
ImpactSensitive Information Disclosure / Local File Read
Exploit StatusPoC in technical advisories
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1005Data from Local System
Collection
T1552Unsecured Credentials
Credential Access
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor who is not authorized to have access to that information.

Known Exploits & Detection

GitHub Security AdvisoryExplains how the sandboxed Twig utility is abused with dataUrl

Vulnerability Timeline

Vulnerability published and advisory issued
2026-07-01
NVD publication date for CVE-2026-55792
2026-07-02

References & Sources

  • [1]GitHub Security Advisory GHSA-287w-mxq6-x2cp
  • [2]Craft CMS Pull Request 18559

More Reports

•5 minutes ago•CVE-2026-35381
3.3

CVE-2026-35381: Logic Error and Parameter Mismatch in uutils coreutils cut Utility

A logic error in the cut utility of uutils coreutils prior to version 0.8.0 causes the utility to ignore the -s (suppress non-delimited records) flag when invoked with the zero-terminated (-z) and empty delimiter (-d '') flags in combination. This results in unintended preservation of undelimited input streams, which breaks the functional parity with GNU coreutils and leads to potential data integrity issues in automated data processing pipelines.

Alon Barad
Alon Barad
2 views•7 min read
•about 2 hours ago•CVE-2026-35366
4.4

CVE-2026-35366: Security Inspection Bypass in uutils coreutils printenv via non-UTF-8 Environment Variables

A security inspection bypass vulnerability exists in the printenv utility of uutils coreutils (a Rust-based implementation of GNU coreutils) prior to version 0.6.0. Due to a semantic mismatch between POSIX environment variable specifications and Rust's strict UTF-8 validation rules, environment variables containing invalid UTF-8 byte sequences are silently omitted from printenv outputs. This allows local attackers to load and execute adversarial environment variables while remaining undetected by system administrators and automated security auditing tools.

Alon Barad
Alon Barad
4 views•6 min read
•about 2 hours ago•GHSA-X76W-8C62-48MG
4.3

GHSA-X76W-8C62-48MG: Missing Authorization in Craft CMS AssetsController Leads to Private Asset Disclosure

An improper authorization vulnerability in Craft CMS allows authenticated Control Panel users to bypass volume view permissions and access signed fallback transform preview links for private assets via the assets/preview-thumb action.

Alon Barad
Alon Barad
3 views•6 min read
•about 3 hours ago•CVE-2026-35371
3.3

CVE-2026-35371: Logical Identity Spoofing in uutils coreutils id Utility

CVE-2026-35371 is a logical validation vulnerability (CWE-451) in the Rust-based GNU coreutils clone (uutils/coreutils). When formatting pretty-print statistics for a process where the real User ID (UID) and effective User ID (EUID) differ, the id utility mistakenly uses the effective Group ID (EGID) to retrieve the effective user name. This mismatch can mislead administrative scripts or system administrators who rely on the command's stdout to verify privilege states.

Alon Barad
Alon Barad
5 views•9 min read
•about 3 hours ago•CVE-2026-35339
5.5

CVE-2026-35339: Incorrect Exit Status Propagation in Rust uutils/coreutils chmod Recursive Execution

CVE-2026-35339 is a logic vulnerability in the Rust-written `uutils/coreutils` implementation of the `chmod` utility. When executing recursively (`-R` or `--recursive`) over multiple target paths, the utility fails to accumulate the overall exit status, overwriting error codes from early failures with the status of the final target. This results in false-success exit codes (0), potentially leading security automation and deployment scripts to assume permission modifications succeeded when they actually failed.

Alon Barad
Alon Barad
6 views•7 min read
•about 5 hours ago•CVE-2026-35338
7.3

CVE-2026-35338: Path Validation Bypass in uutils/coreutils chmod --preserve-root Option

A path validation bypass vulnerability exists in the chmod utility of uutils/coreutils before version 0.6.0. The '--preserve-root' safety mechanism relies on a literal string comparison, allowing local users to bypass root directory protection via unnormalized paths (such as '/../' or symbolic links) and recursively alter system-wide permissions.

Alon Barad
Alon Barad
6 views•6 min read