CVE-2026-32264: Craft CMS vulnerable to behavior injection RCE ElementIndexesController and FieldsController
The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched src/services/Fields.php, but the same vulnerable pattern exists in ElementIndexesController and FieldsController.
You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work.
An attacker can use the same gadget chain from the original advisory to achieve RCE.
Users should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.
References
- github.com/advisories/GHSA-4484-8v2f-5748
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70
- github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620
- github.com/craftcms/cms/security/advisories/GHSA-4484-8v2f-5748
- github.com/craftcms/cms/security/advisories/GHSA-7jx7-3846-m7w7
- nvd.nist.gov/vuln/detail/CVE-2026-32264
Code Behaviors & Features
Detect and mitigate CVE-2026-32264 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →