CVE-2026-31857 is a critical remote code execution vulnerability affecting Craft CMS, a popular content management system. The flaw exists in the BaseElementSelectConditionRule::getElementIds() method, which processes user input through the renderObjectTemplate() function. This function uses Twig template rendering without sandboxing and with escaping disabled, allowing user-controlled strings to be interpreted as executable code. Because the vulnerability can be triggered by any authenticated user with access to the Control Panel, including non-admin roles such as Authors or Editors, it significantly lowers the bar for exploitation. The crafted condition rule can be sent via standard element listing endpoints, enabling attackers to execute arbitrary code on the server hosting the CMS. Notably, this vulnerability bypasses common production hardening configurations like allowAdminChanges set to false, devMode disabled, and even enableTwigSandbox enabled, which normally would mitigate such risks. The affected versions include all Craft CMS releases from 4.0.0-beta.1 up to but not including 4.17.4, and from 5.0.0-RC1 up to but not including 5.9.9. The CVSS 4.0 base score is 8.1, reflecting high severity due to network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. While no public exploits have been observed yet, the vulnerability's characteristics make it a prime target for attackers seeking to compromise CMS infrastructure. Immediate patching to the fixed versions is strongly recommended to prevent exploitation.

The impact of CVE-2026-31857 is severe for organizations using affected versions of Craft CMS. Successful exploitation grants remote code execution capabilities to any authenticated user with minimal privileges, effectively allowing attackers to take full control of the CMS server environment. This can lead to unauthorized data access, data modification or deletion, deployment of malware or ransomware, lateral movement within the network, and complete system compromise. Since the vulnerability bypasses typical hardening measures, organizations relying on configuration-based mitigations are at significant risk. The breach of CMS infrastructure can also damage organizational reputation, disrupt business operations, and expose sensitive customer or internal data. Given Craft CMS's use in various industries for web content management, the threat extends to e-commerce platforms, media sites, corporate portals, and government websites, amplifying potential downstream effects.

To mitigate CVE-2026-31857, organizations should immediately upgrade Craft CMS installations to version 5.9.9 or 4.17.4 or later, where the vulnerability is patched. Until patching is possible, restrict Control Panel access strictly to trusted users and minimize the number of users with any Control Panel privileges. Implement network-level access controls such as VPNs or IP whitelisting to limit exposure of the Control Panel interface. Monitor logs for unusual activity related to element listing endpoints and condition rule submissions. Disable or limit the use of custom condition rules if feasible. Employ web application firewalls (WAFs) with rules targeting suspicious Twig template usage or anomalous POST requests to the CMS backend. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.