CVE-2026-32263: Craft CMS vulnerable to behavior injection RCE via EntryTypesController
The fix for GHSA-7jx7-3846-m7w7 (commit 395c64f0b80b507be1c862a2ec942eaacb353748) only patched src/services/Fields.php, but the same vulnerable pattern exists in EntryTypesController::actionApplyOverrideSettings().
In src/controllers/EntryTypesController.php lines 381-387:
$settingsStr = $this->request->getBodyParam('settings');
parse_str($settingsStr, $postedSettings);
$settingsNamespace = $this->request->getRequiredBodyParam('settingsNamespace');
$settings = array_filter(ArrayHelper::getValue($postedSettings, $settingsNamespace, []));
if (!empty($settings)) {
Craft::configure($entryType, $settings);
The $settings array from parse_str is passed directly to Craft::configure() without Component::cleanseConfig(). This allows injecting Yii2 behavior/event handlers via as or on prefixed keys, the same attack vector as the original advisory.
You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.
An attacker can use the same gadget chain from the original advisory to achieve RCE.
Users should update to Craft 5.9.11 to mitigate the issue.
References
- github.com/advisories/GHSA-qx2q-q59v-wf3j
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/d37389dbffafa565143be40a2ab1e1db22a863f7
- github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
- github.com/craftcms/cms/security/advisories/GHSA-qx2q-q59v-wf3j
- nvd.nist.gov/vuln/detail/CVE-2026-32263
Code Behaviors & Features
Detect and mitigate CVE-2026-32263 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →