Описание
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations the updater/backup action, potentially leading to resource exhaustion or information disclosure.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
References:
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
Affected Endpoints
POST /admin/actions/updater/backup(unauthenticated)
Vulnerability Details
Root Cause
All updater/* actions are explicitly configured with anonymous access:
Attack Vector
- Send unauthenticated POST request to
/admin/actions/updater/backup - Database backup executes with configured
backupCommand
Пакеты
craftcms/cms
>= 5.0.0-RC1, <= 5.8.20
5.8.21
craftcms/cms
>= 3.0.0, <= 4.16.16
4.16.17
Связанные уязвимости
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.