CVE-2026-25492 is a medium-severity SSRF vulnerability affecting Craft CMS, a popular content management system. The flaw exists in the save_images_Asset GraphQL mutation, which is designed to save image assets. This mutation accepts a domain name parameter that is intended to point to image resources. However, in affected versions (3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21), hostname validation is insufficient, allowing an attacker to supply domain names resolving to internal IP addresses. This enables the server to make unauthorized HTTP requests to internal network resources. Furthermore, if the CMS configuration allows non-image file extensions such as .txt, the downstream image validation can be bypassed. This combination allows an authenticated attacker with permission to invoke save_images_Asset to retrieve sensitive internal data, including AWS instance metadata credentials, which can lead to further compromise of cloud infrastructure. The vulnerability does not require user interaction and can be exploited remotely with low complexity, but it requires the attacker to have authenticated access with specific permissions. The issue has been patched in Craft CMS versions 4.16.18 and 5.8.22. No public exploits have been reported yet, but the potential for sensitive data exposure and cloud credential theft makes this a significant risk for affected deployments.

For European organizations, this vulnerability poses a risk of unauthorized internal network access and sensitive data exposure, particularly in cloud-hosted environments using AWS. Attackers exploiting this SSRF flaw can access internal services that are otherwise inaccessible externally, potentially retrieving metadata credentials that enable lateral movement, privilege escalation, or data exfiltration. This can compromise confidentiality and integrity of critical systems and data. Organizations relying on Craft CMS for their websites or intranet portals may face service disruption or reputational damage if exploited. The medium CVSS score reflects moderate impact, but the ability to access cloud credentials elevates the risk in environments heavily dependent on cloud infrastructure. Given the widespread use of Craft CMS in Europe, especially in sectors like media, education, and government, the vulnerability could be leveraged for targeted attacks or espionage. The absence of known exploits in the wild suggests a window for proactive remediation before active exploitation occurs.

European organizations should immediately upgrade Craft CMS to versions 4.16.18 or 5.8.22 or later to apply the official patches addressing this SSRF vulnerability. In addition, administrators should audit GraphQL permissions to restrict save_images_Asset mutation access only to trusted and necessary users. Review and tighten allowed file extensions for image uploads, disallowing non-image types such as .txt to prevent bypassing validation. Implement network segmentation and firewall rules to limit the CMS server's ability to make outbound requests to internal IP ranges and cloud metadata endpoints. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to monitor and block suspicious internal requests. Regularly scan and monitor logs for unusual GraphQL mutation usage or unexpected internal network access attempts. Finally, conduct security awareness training for developers and administrators on secure CMS configuration and patch management best practices.