Main Vulnerability Database Vulnerabilities #VU126642

Improper access control in October CMS - CVE-2026-26274

Published: April 21, 2026

Vulnerability identifier: #VU126642

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-26274

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OctoberCMS

Affected software:
October CMS

Detailed vulnerability description

The vulnerability allows a remote user to modify or delete arbitrary database data.

The vulnerability exists due to improper access control in the Twig sandbox security policy when processing Twig template markup with query builder access. A remote privileged user can execute insert, update, delete, or truncate operations on database tables to modify or delete arbitrary database data.

Only instances with cms.safe_mode enabled are vulnerable.

How to mitigate CVE-2026-26274

Install security update from vendor's website.

Sources

https://github.com/octobercms/october/security/advisories/GHSA-h6jm-f4hh-fw27

Improper access control in October CMS - CVE-2026-26274

Detailed vulnerability description

How to mitigate CVE-2026-26274

Sources

Please verify you're human