Unauthenticated Craft CMS users can trigger a database backup

7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P

Description

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16, unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.

Basic Information

ID CVE-2025-68456

Source GitHub_M

Published Jan 5, 2026 at 22:03

Affected Product

Vendor craftcms

Product cms

Version >= 5.0.0-RC1, < 5.8.21

Affected Versions craftcms cms >= 5.0.0-RC1, < 5.8.21
craftcms cms >= 3.0.0, < 4.16.17

CWE Classification

CWE-770 CWE-202

References

{
    "lastseen": "",
    "description": "Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 3.0.0 through 4.16.16,  unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes.",
    "published": "2026-01-05T22:03:11.155Z",
    "modified": "2026-01-05T22:03:11.155Z",
    "type": "cve",
    "title": "Unauthenticated Craft CMS users can trigger a database backup",
    "source": "GitHub_M",
    "references": "https://github.com/craftcms/cms/security/advisories/GHSA-v64r-7wg9-23pr\nhttps://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39\nhttps://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04",
    "id": "CVE-2025-68456",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770",
        "CWE-202"
    ],
    "cvelist": null,
    "sourceData": "craftcms cms >= 5.0.0-RC1, < 5.8.21\ncraftcms cms >= 3.0.0, < 4.16.17",
    "sourceHref": "",
    "cvss": {
        "score": 7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cms",
    "version": ">= 5.0.0-RC1, < 5.8.21",
    "vendor": "craftcms",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Unauthenticated Craft CMS users can trigger a database backup_CVE-2025-68456