A critical security vulnerability was fixed in Craft version 4.4.15, meaning that sites running Craft 4 version 4.4.14 and below are open to anonymous remote code execution attacks. We’ve analysed the vulnerability and below are our findings.

Craft cms security vulnerability

Craft 4.4.15 fixed a critical remote code execution vulnerability. This is a high severity, low complexity vulnerability that can be exploited anonymously, so should be taken very seriously. Fortunately, applying the fix is as simple as updating sites running Craft 4 to version 4.4.15 or above. 


The exploit is now in the public domain, so updating is more critical than ever! Rotating the security key is also highly recommended. This can be done using the console command, followed by clearing all caches and refreshing the Blitz cache (if the plugin is installed). 

php craft setup/security-key
php craft clear-caches/all
php craft blitz/cache/refresh

Here are answers to some common questions that have been asked.

  1. The exploit is in the public domain.
  2. The vulnerability can be exploited anonymously (without an authenticated session).
  3. The vulnerability is considered high severity (can cause serious damage) and low complexity (not hard to exploit).
  4. The vulnerability affects Craft 4 only. Sites running Craft 3 are not affected. This is because the vulnerability is in the ConditionsController class (used by the condition builder) that was added in version 4.0.0.
  5. A successful remote code execution (RCE) attack can lead to malicious code being run on the server which may be used to deface a site, deploy malware or steal sensitive data. 
  6. Investigating whether a site has been compromised is not trivial. You’ll need to inspect your web server’s access logs and look for successful POST requests that contain both conditions/render and either as or on followed by a space. Their presence may indicate that your site was attacked and possibly exploited. To be certain, the content of the requests must be analysed. Below are two regular expressions that can help in searching access logs.

In summary, unpatched sites are at serious risk of being attacked. Update now!

Read the security advisory.