CVE-2026-32264 — Craft CMS vulnerable to behavior injection RCE ElementIndexesController and Fiel

Description

The fix for https://github.com/advisories/GHSA-7jx7-3846-m7w7 (commit https://github.com/craftcms/cms/commit/395c64f0b80b507be1c862a2ec942eaacb353748) only patched `src/services/Fields.php`, but the same vulnerable pattern exists in `ElementIndexesController` and `FieldsController`. You need Craft control panel administrator permissions, and allowAdminChanges must be enabled for this to work. An attacker can use the same gadget chain from the original advisory to achieve RCE. Users should update to Craft 4.17.5 and 5.9.11 to mitigate the issue.

How to fix CVE-2026-32264

To remediate CVE-2026-32264, upgrade the affected package to a fixed version below.

—upgrade to 4.17.5 or later

Is CVE-2026-32264 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0.0-RC1, < 4.17.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32264
PATCHgithub.com/craftcms/cms
WEBgithub.com/craftcms/cms/commit/78d181e12e0b15e1300f54ec85f19859d3300f70
WEBgithub.com/craftcms/cms/commit/dfec46362fcb40b330ce8a4d8136446e65085620