CVE-2025-68456: Unauthenticated Craft CMS users can trigger a database backup

January 5, 2026 (updated January 9, 2026)

Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure.Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.Resources:

https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md

References

github.com/advisories/GHSA-v64r-7wg9-23pr
github.com/craftcms/cms
github.com/craftcms/cms/blob/5.x/CHANGELOG.md
github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr
nvd.nist.gov/vuln/detail/CVE-2025-68456

Code Behaviors & Features

Detect and mitigate CVE-2025-68456 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →