CVE-2026-32264 is a critical vulnerability classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as Unsafe Reflection) affecting Craft CMS, a popular content management system. The flaw exists in the ElementIndexesController and FieldsController components, where untrusted input can influence the selection of classes or code to execute, leading to behavior injection and remote code execution (RCE). This vulnerability is exploitable remotely without user interaction but requires that the attacker has administrator-level permissions on the Craft control panel and that the allowAdminChanges configuration is enabled. The affected versions span from 4.0.0-RC1 up to but not including 4.17.5, and from 5.0.0-RC1 up to but not including 5.9.11. The vulnerability allows an attacker with sufficient privileges to execute arbitrary code on the server, potentially compromising the confidentiality, integrity, and availability of the system. The CVSS 4.0 base score is 8.6, indicating a high severity level, with network attack vector, low attack complexity, no user interaction, and high impact on confidentiality, integrity, and availability. The vulnerability has been patched in versions 4.17.5 and 5.9.11. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of unsafe reflection patterns in web applications and the importance of strict input validation and secure coding practices in CMS platforms.

The impact of CVE-2026-32264 is significant for organizations using affected versions of Craft CMS. Successful exploitation can lead to remote code execution, allowing attackers to run arbitrary commands on the server hosting the CMS. This can result in full system compromise, data theft, defacement, deployment of malware or ransomware, and disruption of services. Since the vulnerability requires administrator-level permissions and the allowAdminChanges setting enabled, the risk is elevated in environments where these conditions are met, such as development, staging, or misconfigured production systems. The breach of confidentiality, integrity, and availability can have severe consequences including loss of sensitive data, damage to organizational reputation, regulatory penalties, and operational downtime. Organizations relying on Craft CMS for web content management, especially those with high-value or sensitive content, are at risk. The absence of known exploits in the wild suggests limited immediate threat, but the high severity and ease of exploitation given the required privileges necessitate prompt remediation to prevent potential targeted attacks.

1. Immediate patching: Upgrade Craft CMS installations to version 4.17.5 or later, or 5.9.11 or later, where the vulnerability is fixed. 2. Restrict administrator access: Limit control panel administrator permissions strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Disable allowAdminChanges: If not required, disable the allowAdminChanges setting to reduce the attack surface. 4. Monitor logs: Implement detailed logging and monitoring of control panel activities to detect suspicious behavior indicative of exploitation attempts. 5. Harden server environment: Employ web application firewalls (WAFs) with rules to detect and block unusual requests targeting the vulnerable controllers. 6. Conduct security audits: Regularly review CMS configurations and code for unsafe reflection patterns or other insecure coding practices. 7. Backup data: Maintain regular, secure backups of CMS data and configurations to enable recovery in case of compromise. 8. Educate administrators: Train CMS administrators on secure configuration and the risks associated with privilege misuse. These measures combined will reduce the likelihood of exploitation and limit the impact if an attack occurs.