Alchemy CMS RCE: Ruby Eval Flaw Opens Door for Command Execution

/HIGH
SCW vulnerabilitycvetools
Alchemy CMS RCE: Ruby Eval Flaw Opens Door for Command Execution

CVE Notify is flagging a critical remote code execution (RCE) vulnerability, CVE-2026-23885, impacting the Alchemy open-source content management system (CMS) engine. The issue stems from the use of Ruby’s eval() function within the Alchemy::ResourcesHelper#resource_url_proxy method. Prior to versions 7.4.12 and 8.0.3, this function dynamically executed code based on the resource_handler.engine_name attribute. What’s particularly concerning is that the code explicitly bypasses security checks with a # rubocop:disable Security/Eval comment, signaling that the developers were aware of the risky function’s use but failed to implement adequate safeguards.

According to CVE Notify, this vulnerability allows an authenticated attacker to break out of the Ruby sandbox and execute arbitrary system commands. The engine_name attribute can be influenced by administrative configurations, providing a pathway for exploitation. The fix in versions 7.4.12 and 8.0.3 involves replacing the dangerous eval() call with a safer send() method, mitigating the risk of command injection.

What This Means For You

  • Security teams should prioritize patching or upgrading Alchemy CMS instances to versions 7.4.12 or 8.0.3 to address CVE-2026-23885, as authenticated attackers can leverage this flaw to execute arbitrary commands on the host OS.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.006 Command and Scripting Interpreter: Python Execution T1204.002 Malicious File: User Execution Execution

Indicators of Compromise

IDTypeIndicator
CVE-2026-23885 Vulnerability CVE-2026-23885
CVE-2026-23885 Affected Product Ruby on Rails.

By Shimi's Cyber World Editorial

🛡️
Want the IOCs from this threat? Get structured IOC exports and weekly threat briefs — delivered instantly to your Telegram.
Get My Intel →