CVE-2025-68456
published 2026-01-05CVE-2025-68456: Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger…
PriorityP354critical9.1CVSS 3.1
AVNACLPRNUINSUCHINAH
EPSS
0.47%
37.3th percentile
Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| craftcms | cms | — | — |
| craftcms | cms | — | — |
| craftcms | cms | >= 3.0.0 < 4.16.17 | 4.16.17 |
| craftcms | cms | >= 5.0.0-RC1 < 5.8.21 | 5.8.21 |
| craftcms | craft_cms | — | — |
| craftcms | craft_cms | >= 3.0.0 < 4.16.17 | 4.16.17 |
| craftcms | craft_cms | >= 5.0.1 < 5.8.21 | 5.8.21 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
nvdv4.07.0HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Unauthenticated Craft CMS users can trigger a database backup
ghsa·2026-01-05
CVE-2025-68456 [HIGH] CWE-202 Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations the `updater/backup` action, potentially leading to resource exhaustion or information disclosure.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
References:
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
## Affected Endpoints
- `POST /admin/actions/updater/backup` (unauthenticated)
## Vulnerability Details
### Root Cause
All `updater/*` actions are explicitly configured with anonymous access:
```php
// BaseUpdaterController.
OSV
Unauthenticated Craft CMS users can trigger a database backup
osv·2026-01-05
CVE-2025-68456 [HIGH] Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated Craft CMS users can trigger a database backup
Unauthenticated users can trigger database backup operations the `updater/backup` action, potentially leading to resource exhaustion or information disclosure.
Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.
Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.
References:
https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39
https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04
## Affected Endpoints
- `POST /admin/actions/updater/backup` (unauthenticated)
## Vulnerability Details
### Root Cause
All `updater/*` actions are explicitly configured with anonymous access:
```php
// BaseUpdaterController.
No detection rules found.
No public exploits indexed.
2026-01-05
Published