DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-23885: AlchemyCMS: Turning Configuration into Remote Code Execution

#security #cve #cybersecurity

AlchemyCMS: Turning Configuration into Remote Code Execution

Vulnerability ID: CVE-2026-23885
CVSS Score: 6.6
Published: 2026-01-21

A classic case of 'eval()' injection in AlchemyCMS allows authenticated administrators to escalate their privileges to full Remote Code Execution on the underlying server. The vulnerability stems from a helper method that prioritized flexibility over sanity, complete with a suppressed linting warning.

TL;DR

The AlchemyCMS team literally ignored a security linter warning to use eval() on user-supplied configuration data. This allows anyone with administrative access to inject Ruby code, leading to RCE. Fixed in 7.4.12 and 8.0.3 by switching to public_send.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code)
  • CVSS Score: 6.6 (Medium)
  • Attack Vector: Network (Authenticated)
  • Impact: Remote Code Execution (RCE)
  • Exploit Status: PoC Available
  • Patch Date: 2026-01-19

Affected Systems

  • AlchemyCMS < 7.4.12
  • AlchemyCMS 8.0.0.a - 8.0.2
  • AlchemyCMS: < 7.4.12 (Fixed in: 7.4.12)
  • AlchemyCMS: >= 8.0.0.a, <= 8.0.2 (Fixed in: 8.0.3)

Code Analysis

Commit: 55d03ec

Fix RCE in resource_url_proxy for v7.4-stable

- eval(resource_handler.engine_name)
+ public_send(resource_handler.engine_name)
Enter fullscreen mode Exit fullscreen mode

Commit: 563c4ce

Fix RCE in resource_url_proxy for v8.0-stable

- eval(resource_handler.engine_name)
+ public_send(resource_handler.engine_name)
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Proof of Concept demonstrating eval injection via simulated OpenStruct handler

Mitigation Strategies

  • Upgrade AlchemyCMS to version 7.4.12 or 8.0.3 immediately.
  • Audit all config/alchemy/modules.yml files for suspicious engine_name entries.
  • Restrict administrative access to trusted personnel only.

Remediation Steps:

  1. Open your Gemfile.
  2. Update the alchemy_cms line: gem 'alchemy_cms', '>= 7.4.12'.
  3. Run bundle update alchemy_cms.
  4. Restart the application server.

References

Read the full report for CVE-2026-23885 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)