CVE-2026-32264
Published: 16 March 2026
Summary
CVE-2026-32264 is a high-severity Unsafe Reflection (CWE-470) vulnerability in Craftcms Craft Cms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely application of patches for CVE-2026-32264 directly remediates the unsafe reflection flaw in ElementIndexesController and FieldsController, preventing RCE exploitation.
Information input validation at controller entry points prevents externally-controlled input from triggering unsafe reflection and behavior injection RCE.
Enforcing secure configuration settings to disable allowAdminChanges eliminates the prerequisite configuration for exploiting this vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
RCE via unsafe reflection in public-facing Craft CMS admin controllers directly enables T1190 (authenticated exploitation of the app) and resulting arbitrary command/code execution via T1059.
NVD Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, there is a Behavior injection RCE vulnerability in ElementIndexesController and FieldsController. Craft control panel administrator permissions and…
more
allowAdminChanges must be enabled for this to work. This issue has been patched in versions 4.17.5 and 5.9.11.
Deeper analysisAI
CVE-2026-32264 is a behavior injection remote code execution (RCE) vulnerability affecting Craft CMS, a content management system. The flaw exists in the ElementIndexesController and FieldsController components, impacting versions from 4.0.0-RC1 up to but not including 4.17.5, and from 5.0.0-RC1 up to but not including 5.9.11. It stems from CWE-470 (Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')), with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires an attacker to possess Craft control panel administrator permissions, with the allowAdminChanges setting enabled. A privileged adversary can leverage this to inject malicious behavior, achieving arbitrary remote code execution on the server. This grants high-impact confidentiality, integrity, and availability compromise within the unaffected scope.
Patches addressing this vulnerability are available in Craft CMS versions 4.17.5 and 5.9.11, as detailed in GitHub security advisories GHSA-4484-8v2f-5748 and GHSA-7jx7-3846-m7w7, along with the corresponding fix commits at https://github.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70 and https://github.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620. Security practitioners should prioritize upgrading affected installations and review configurations for allowAdminChanges exposure.
Details
- CWE(s)