CVE-2026-56382 craftcms CVE debrief

Who should care

Defenders responsible for Craft CMS installations, particularly those with versions between 5.5.0 and 5.9.13, should prioritize patching to prevent potential remote code execution attacks. Additionally, security teams monitoring for potential exploitation attempts and administrators responsible for system hardening should be aware of this vulnerability.

Technical summary

The vulnerability exists in the FieldsController::actionRenderCardPreview() method of Craft CMS. Specifically, the method passes the fieldLayoutConfig POST parameter directly to Fields::createLayout() without calling Component::cleanseConfig(). This oversight allows an authenticated admin user to inject Yii2 event handlers, such as 'on init' keys, via the fieldLayoutConfig parameter. Successful exploitation enables the execution of arbitrary PHP code and disclosure of sensitive information, including environment variables containing database credentials and CRAFT_SECURITY_KEY.

Defensive priority

High priority due to CVSS score of 8.6 and potential for significant impact

Recommended defensive actions

• Apply the official patch by updating Craft CMS to version 5.9.14 or later
• Inventory Craft CMS installations to identify potentially vulnerable versions
• Review official advisories for additional guidance
• Monitor for potential exploitation attempts
• Implement compensating controls to limit exposure

Evidence notes

The primary evidence for this vulnerability comes from the CVE-2026-56382 record and associated source references. The vulnerability affects Craft CMS versions >= 5.5.0 and <= 5.9.13. Defenders should verify the version of Craft CMS in use and confirm the presence of the fix in version 5.9.14. Evidence limits are based on information available up to the CVE publication date.

Official resources