CVE-2026-31858 is a critical SQL injection vulnerability affecting the Craft CMS platform, specifically versions from 5.0.0-RC1 up to 5.9.8. The vulnerability resides in the ElementSearchController::actionSearch() endpoint, which processes user-supplied query parameters such as criteria[where] and criteria[orderBy] without proper neutralization of special SQL elements. This improper input validation allows an authenticated user with control panel access—without requiring administrative privileges—to inject arbitrary SQL commands. The vulnerability is a result of the absence of an unset() protection mechanism that was previously implemented in another controller (ElementIndexesController) to address a similar issue (CVE-2026-25495). Exploiting this flaw enables attackers to perform boolean-based blind SQL injection attacks, allowing them to enumerate and extract sensitive database information, potentially including user credentials, configuration data, and other critical content managed by the CMS. The attack vector is network-based, does not require user interaction, and can be executed with low complexity due to the lack of required privileges beyond authenticated access. The CVSS v4.0 score of 8.7 reflects the high impact on confidentiality, integrity, and availability, combined with the ease of exploitation. Although no active exploits have been reported in the wild, the vulnerability poses a significant risk to organizations relying on Craft CMS for content management. The recommended remediation is to upgrade to Craft CMS version 5.9.9, where the missing protection has been applied to this endpoint, effectively mitigating the vulnerability.

The exploitation of CVE-2026-31858 can have severe consequences for organizations using affected versions of Craft CMS. Attackers with authenticated control panel access can extract the entire database contents, leading to a complete breach of confidentiality. This may include sensitive user data, credentials, proprietary content, and configuration settings. The integrity of the CMS data can be compromised by unauthorized modifications through injected SQL commands, potentially defacing websites or injecting malicious content. Availability may also be impacted if attackers execute destructive SQL commands or cause database corruption. Since the vulnerability requires only authenticated access without admin privileges, insider threats or compromised lower-privilege accounts can be leveraged to escalate the attack. The breach of sensitive data can lead to regulatory non-compliance, reputational damage, financial losses, and further lateral movement within the victim's network. Organizations relying on Craft CMS for public-facing websites or internal portals are at risk of data leakage and service disruption until the vulnerability is patched.

1. Immediate upgrade to Craft CMS version 5.9.9 or later, where the vulnerability is patched. 2. Restrict control panel access to trusted users only and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of compromised accounts. 3. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting criteria parameters in the CMS endpoints. 4. Conduct regular security audits and code reviews to ensure all input validation and sanitization measures are consistently applied across all controllers and endpoints. 5. Monitor logs for unusual query patterns or failed login attempts that may indicate exploitation attempts. 6. Limit database user privileges used by the CMS to the minimum necessary, preventing execution of arbitrary commands beyond required operations. 7. Educate CMS users about the risks of credential compromise and enforce strong password policies. 8. Consider network segmentation to isolate CMS infrastructure from critical backend systems to limit lateral movement in case of compromise.