CVE-2026-23885 is an Eval Injection vulnerability classified under CWE-95 affecting the AlchemyCMS open-source content management system written in Ruby on Rails. The vulnerability exists in versions prior to 7.4.12 and between 8.0.0 and 8.0.3 due to unsafe use of Ruby's eval() function in the method Alchemy::ResourcesHelper#resource_url_proxy, specifically at line 28 in app/helpers/alchemy/resources_helper.rb. The eval() function dynamically executes a string derived from the resource_handler.engine_name attribute, which is sourced from module definitions that can be influenced by administrative configurations. Despite the presence of a rubocop directive disabling security linting for eval, no proper sanitization or mitigation was implemented. An authenticated attacker with administrative privileges can manipulate engine_name to escape the Ruby sandbox and execute arbitrary system commands on the host operating system. This leads to full compromise of the affected server, impacting confidentiality, integrity, and availability. The vulnerability has a CVSS 3.1 base score of 6.6, reflecting medium severity, with attack vector network, high attack complexity, required privileges high, no user interaction, and impacts on confidentiality, integrity, and availability. The issue is resolved in versions 7.4.12 and 8.0.3 by replacing eval() with the safer send() method, which does not evaluate arbitrary code but calls methods by name, mitigating the injection risk. No known exploits are reported in the wild as of the publication date.

For European organizations, exploitation of CVE-2026-23885 could lead to complete system compromise of servers running vulnerable versions of AlchemyCMS. Given that the vulnerability requires administrative privileges, the initial access vector is limited to insiders or attackers who have already breached lower-level defenses. However, once exploited, attackers can execute arbitrary commands, potentially leading to data theft, service disruption, or pivoting within the network. This is particularly concerning for organizations managing sensitive content or critical infrastructure websites using AlchemyCMS. The impact extends to confidentiality breaches, integrity violations through unauthorized content modification, and availability disruptions via system command execution. The medium severity rating reflects the balance between the high impact of exploitation and the requirement for high privileges and no user interaction. European entities with public-facing CMS deployments or multi-tenant hosting environments are at elevated risk, especially if patching is delayed or administrative access controls are weak.

European organizations should immediately upgrade AlchemyCMS to versions 7.4.12 or 8.0.3 or later to eliminate the vulnerability. In addition to patching, organizations must audit administrative access controls to ensure that only trusted personnel have configuration privileges that influence engine_name or similar attributes. Implement strict role-based access control (RBAC) and monitor administrative actions for suspicious changes. Employ runtime application self-protection (RASP) or web application firewalls (WAFs) with custom rules to detect and block anomalous command execution patterns. Regularly review and sanitize all inputs that could influence dynamic code execution paths, even if not directly related to this vulnerability. Conduct security code reviews focusing on the use of dangerous functions like eval() and replace them with safer alternatives such as send() or explicit method calls. Finally, maintain comprehensive logging and alerting on administrative operations and system command executions to enable rapid detection and response to exploitation attempts.