CVE-2026-23885
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary system commands on AlchemyCMS servers by exploiting unsafe use of Ruby's eval() function. The issue affects AlchemyCMS versions prior to 7.4.12 and 8.0.3, putting content management systems at risk of complete server compromise.
💻 Affected Systems
- AlchemyCMS
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise allowing attacker to execute arbitrary commands, access sensitive data, install malware, or pivot to other systems.
Likely Case
Authenticated attacker gains remote code execution, potentially compromising the CMS database, user data, and server configuration.
If Mitigated
With proper authentication controls and network segmentation, impact limited to CMS application layer only.
🎯 Exploit Status
Exploitation requires authenticated access but the vulnerability is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.4.12 or 8.0.3
Vendor Advisory: https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
Restart Required: Yes
Instructions:
1. Update AlchemyCMS to version 7.4.12 (for 7.x branch) or 8.0.3 (for 8.x branch). 2. Restart the Rails application server. 3. Verify the patch by checking the resources_helper.rb file no longer contains eval() at line 28.
🔧 Temporary Workarounds
Disable resource handler functionality
allTemporarily disable or restrict access to resource handler features that trigger the vulnerable code path.
# Modify routes.rb to restrict access to resource endpoints
# Add authentication middleware to block resource handler requests
🧯 If You Can't Patch
- Implement strict access controls to limit authenticated users who can access resource handler functionality.
- Deploy web application firewall rules to block suspicious eval-related patterns in requests.
🔍 How to Verify
Check if Vulnerable:
Check app/helpers/alchemy/resources_helper.rb line 28 for eval() usage. If present and version is below 7.4.12 or 8.0.3, system is vulnerable.Check Version:
bundle show alchemy_cmsVerify Fix Applied:
Verify resources_helper.rb line 28 uses send() instead of eval() and confirm AlchemyCMS version is 7.4.12+ or 8.0.3+.📡 Detection & Monitoring
Log Indicators:
- Unusual eval-related errors in Rails logs
- Suspicious resource handler requests from authenticated users
- Unexpected system command execution in server logs
Network Indicators:
- HTTP requests containing unusual engine_name parameters
- POST requests to resource handler endpoints with suspicious payloads
SIEM Query:
source="rails.log" AND ("eval" OR "resource_handler" OR "engine_name") AND status=200🔗 References
- https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26
- https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7
- https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12
- https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3
- https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
