CVE-2026-25494 is a Server-Side Request Forgery (SSRF) vulnerability affecting Craft CMS, a platform widely used for building digital experiences. The vulnerability exists in the saveAsset GraphQL mutation, which attempts to restrict access to certain IP addresses by validating them using PHP's filter_var function with the FILTER_VALIDATE_IP flag. However, filter_var does not correctly validate IP addresses expressed in alternative notations such as hexadecimal or mixed formats. This flaw allows attackers to bypass the IP blocklist and send crafted requests to internal resources, notably cloud metadata services often used in cloud environments to provide instance metadata and credentials. Access to such metadata services can lead to sensitive information disclosure, including cloud credentials, which attackers could leverage for privilege escalation or lateral movement within the victim's infrastructure. The vulnerability affects Craft CMS versions from 4.0.0-RC1 up to 4.16.17 and 5.0.0-RC1 up to 5.8.21. The issue was addressed in versions 4.16.18 and 5.8.22 by improving IP validation to correctly handle alternative IP notations. The CVSS 4.0 score of 6.9 indicates a medium severity level, with an attack vector over the network, no required privileges or user interaction, and limited impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk, especially in cloud-hosted environments where metadata services are accessible internally. Organizations using affected versions should apply patches promptly to mitigate the risk of SSRF attacks that could lead to sensitive data exposure and further compromise.

For European organizations, this SSRF vulnerability poses a significant risk, especially for those hosting Craft CMS in cloud environments such as AWS, Azure, or Google Cloud, where metadata services provide critical instance information and credentials. Exploitation could lead to unauthorized access to sensitive cloud metadata, enabling attackers to escalate privileges, move laterally within networks, or exfiltrate confidential data. This can result in data breaches, service disruptions, and compliance violations under regulations like GDPR. The medium severity rating reflects that while the vulnerability does not directly allow remote code execution, the indirect access to internal services can have serious consequences. Organizations relying on Craft CMS for their digital platforms, particularly those with public-facing GraphQL endpoints, are at risk of external attackers exploiting this flaw without authentication or user interaction. The impact is heightened in sectors with stringent data protection requirements, such as finance, healthcare, and government, common in Europe. Failure to patch could also damage organizational reputation and lead to financial penalties.

European organizations should immediately upgrade Craft CMS to versions 4.16.18 or 5.8.22 or later, where the vulnerability is patched. In addition to patching, organizations should implement strict network segmentation to limit access from web-facing services to internal cloud metadata endpoints. Employing Web Application Firewalls (WAFs) with rules to detect and block SSRF patterns can provide an additional layer of defense. Monitoring and logging GraphQL mutation requests, especially saveAsset operations, can help detect anomalous activity indicative of exploitation attempts. Organizations should also audit their cloud metadata service configurations to enforce the use of Instance Metadata Service Version 2 (IMDSv2) or equivalent protections that require session tokens, reducing SSRF impact. Regular security assessments and penetration testing focusing on SSRF vectors in GraphQL APIs are recommended. Finally, educating developers about secure IP validation and input sanitization practices can prevent similar issues in future development.