CVE-2026-33157 in Craft
Summary
by MITRE • 03/24/2026
Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability described in CVE-2026-33157 represents a critical remote code execution flaw within Craft CMS affecting versions between 5.6.0 and 5.9.12 inclusive. This vulnerability specifically targets authenticated users who possess control panel access, making it particularly dangerous as it exploits the trust relationship between legitimate administrators and the system. The flaw constitutes a regression that bypasses previously implemented security measures, demonstrating the complexity and persistence of such attacks in content management systems. The vulnerability's exploitation pathway involves a sophisticated bypass of existing mitigations, highlighting the importance of comprehensive security reviews even after initial patches have been applied.
The technical implementation of this vulnerability stems from an inconsistent approach to input sanitization within the Craft CMS codebase. While previous patches successfully addressed behavior injection attacks by implementing cleanseConfig() functions in assembleLayoutFromPost() and various FieldsController actions, a critical oversight occurred in the ElementIndexesController::actionFilterHud() method. The fieldLayouts parameter in this specific controller action is passed directly to FieldLayout::createFromConfig() without proper sanitization, creating an exploitable injection point. This inconsistency demonstrates a failure in the security hardening process, where security measures were applied selectively rather than comprehensively across all code paths that handle user-supplied configuration data. The vulnerability specifically leverages Yii2's behavior injection mechanism, where keys prefixed with "as" and "on" can be used to inject malicious behavior into the application's runtime execution context.
The operational impact of this vulnerability extends beyond simple code execution, as it allows authenticated attackers to potentially escalate their privileges and compromise the entire CMS infrastructure. Given that the vulnerability requires only control panel access rather than administrative privileges, it represents a significant risk to organizations where multiple users have access to the CMS administration interface. Attackers could exploit this vulnerability to execute arbitrary code on the server, potentially leading to complete system compromise, data exfiltration, or the establishment of persistent backdoors. The bypass nature of this vulnerability also indicates that attackers may have successfully identified and exploited the gap in the patching process, suggesting that the original security measures were insufficient or incomplete. This type of vulnerability aligns with CWE-94, which describes "Improper Control of Generation of Code ('Code Injection')" and represents a classic example of how incomplete patching can leave systems vulnerable to sophisticated attacks.
Organizations utilizing Craft CMS versions within the affected range must implement immediate mitigation strategies to protect their systems from exploitation. The primary recommended action is to upgrade to version 5.9.13 or later, which contains the comprehensive fix addressing the root cause of the vulnerability. Additionally, security teams should consider implementing network-level restrictions to limit access to the control panel to trusted IP addresses and implement multi-factor authentication for all administrative accounts. Monitoring for unusual activity in the control panel, particularly around field layout modifications and configuration changes, should be implemented as part of the defensive strategy. The vulnerability's characteristics also align with ATT&CK technique T1059.001, which covers "Command and Scripting Interpreter: PowerShell," as the RCE capability would enable attackers to execute arbitrary commands on the affected system. Regular security audits of configuration management functions and thorough input validation reviews should be conducted to prevent similar issues in other components of the application stack.