Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-v64r-7wg9-23pr

Unauthenticated Craft CMS users can trigger a database backup
Back to all
CVE

GHSA-v64r-7wg9-23pr

Unauthenticated Craft CMS users can trigger a database backup

Unauthenticated users can trigger database backup operations the updater/backup action, potentially leading to resource exhaustion or information disclosure.

Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue.

Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

References:

https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39

https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

Affected Endpoints

  • POST /admin/actions/updater/backup (unauthenticated)

Vulnerability Details

Root Cause

All updater/* actions are explicitly configured with anonymous access:

// BaseUpdaterController.php  
protected array|bool|int $allowAnonymous = self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE;

Attack Vector

  1. Send unauthenticated POST request to /admin/actions/updater/backup
  2. Database backup executes with configured backupCommand

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7
-
4.0
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
C
H
U
-

Related Resources

No items found.

References

https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr, https://nvd.nist.gov/vuln/detail/CVE-2025-68456, https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39, https://github.com/craftcms/cms, https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04

Severity

9.1

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
9.1
EPSS Probability
0.00078%
EPSS Percentile
0.23676%
Introduced Version
5.0.0-RC1,3.0.0
Fix Available
5.8.21,4.16.17

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading