CVE-2026-32264 is a critical vulnerability classified under CWE-470 (Use of Externally-Controlled Input to Select Classes or Code, also known as Unsafe Reflection) affecting Craft CMS, a popular content management system. The vulnerability exists in the ElementIndexesController and FieldsController components, where externally supplied input is improperly handled, enabling an attacker with administrative privileges and the allowAdminChanges configuration enabled to perform behavior injection leading to remote code execution (RCE). This means an attacker can execute arbitrary code on the server hosting the CMS, potentially taking full control of the system. The flaw affects Craft CMS versions starting from 4.0.0-RC1 up to versions before 4.17.5, and 5.0.0-RC1 up to versions before 5.9.11. The vulnerability does not require user interaction or privilege escalation beyond admin access, but it does require that the attacker already has control over an admin account or can compromise one. The vulnerability has been patched in versions 4.17.5 and 5.9.11. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no user interaction (UI:N), but requires high privileges (PR:H), with high impact on confidentiality, integrity, and availability (VC:H/VI:H/VA:H). No known exploits have been reported in the wild as of now, but the severity and ease of exploitation by an admin user make this a critical risk for affected installations.

The primary impact of CVE-2026-32264 is the potential for remote code execution on servers running vulnerable versions of Craft CMS, which can lead to full system compromise. An attacker exploiting this vulnerability can execute arbitrary code with the privileges of the web server, potentially leading to data theft, defacement, deployment of malware or ransomware, and disruption of services. Since the vulnerability requires administrative privileges and the allowAdminChanges setting enabled, the risk is especially high in environments where admin credentials are weak, reused, or compromised. Organizations relying on Craft CMS for their web presence or internal portals may face significant operational and reputational damage if exploited. The vulnerability affects confidentiality, integrity, and availability of affected systems, making it a critical concern for organizations with sensitive data or critical web infrastructure. The lack of known exploits in the wild currently reduces immediate risk, but the public disclosure and high CVSS score suggest attackers may develop exploits soon.

To mitigate CVE-2026-32264, organizations should immediately upgrade Craft CMS to versions 4.17.5 or later, or 5.9.11 or later, where the vulnerability has been patched. If immediate upgrading is not possible, restrict access to the Craft CMS control panel to trusted IP addresses and enforce strong multi-factor authentication for all administrator accounts to reduce the risk of credential compromise. Disable the allowAdminChanges setting if it is not strictly necessary, as this setting is required for exploitation. Conduct regular audits of admin accounts and permissions to ensure no unauthorized access is possible. Monitor web server and application logs for suspicious activity related to the ElementIndexesController and FieldsController endpoints. Employ web application firewalls (WAFs) with custom rules to detect and block attempts to exploit unsafe reflection or behavior injection patterns. Finally, maintain a robust incident response plan to quickly respond to any signs of compromise.