Craft CMS, a popular content management system, suffers from a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability identified as CVE-2026-27127. This vulnerability exists in the SSRF (Server-Side Request Forgery) validation logic within the GraphQL Asset mutation feature. Specifically, the system performs DNS resolution separately from the subsequent HTTP request, which opens the door to DNS rebinding attacks. In such attacks, an attacker-controlled DNS server returns one IP address during validation and a different IP address during the actual HTTP request, effectively bypassing IP-based access controls implemented to block certain addresses. This vulnerability is a regression or bypass of the previous fix for CVE-2025-68437, extending the bypass capability beyond IPv6 endpoints to all blocked IPs. To exploit this flaw, an attacker must have GraphQL schema permissions that allow editing or creating assets within a specified volume, which may be granted to authenticated users or, in cases of misconfiguration, even to public schemas with write permissions. The vulnerability affects Craft CMS versions from 4.5.0-RC1 up to but not including 4.16.19, and from 5.0.0-RC1 up to but not including 5.8.23. The vendor has released patches in versions 4.16.19 and 5.8.23 to address this issue. The CVSS 4.0 vector indicates a network attack vector, high complexity, partial privileges required, no user interaction, and high impact on confidentiality, with scope and integrity unaffected. No known exploits have been reported in the wild as of the publication date.

This vulnerability can have significant impacts on organizations using affected versions of Craft CMS, especially those exposing GraphQL APIs with permissive or misconfigured schema permissions. Successful exploitation allows attackers to bypass IP-based restrictions and perform SSRF attacks against internal or protected network resources, potentially leading to unauthorized access to sensitive internal services, data leakage, or further network pivoting. Since the vulnerability affects the confidentiality of internal network resources and can be exploited remotely over the network, it poses a substantial risk to organizations relying on Craft CMS for content management. The requirement for partial privileges limits exploitation to authenticated users with certain GraphQL permissions, but misconfigurations or overly permissive public schemas can widen the attack surface. The impact is heightened in environments where internal services are not otherwise exposed or protected, as attackers can leverage this flaw to reach otherwise inaccessible endpoints. Although no active exploits are known, the presence of a reliable bypass of prior fixes increases the urgency for remediation.

Organizations should immediately upgrade affected Craft CMS instances to versions 4.16.19 or 5.8.23 or later, where the vulnerability is patched. In addition to patching, administrators should audit GraphQL schema permissions to ensure that only trusted and necessary users have asset editing or creation rights, especially in public schemas. Restricting GraphQL API access through network-level controls, such as IP whitelisting or VPN requirements, can reduce exposure. Implementing strict DNS resolution policies and monitoring for anomalous DNS behavior may help detect or prevent DNS rebinding attempts. Where possible, internal services should be segmented and protected by additional access controls to limit the impact of SSRF attacks. Logging and monitoring GraphQL mutation activities can aid in early detection of exploitation attempts. Finally, educating developers and administrators about secure GraphQL schema design and permission management is critical to prevent similar issues.