Craft CMS, a widely used content management system, suffers from a TOCTOU race condition vulnerability (CVE-2026-27127) in its GraphQL Asset mutation SSRF validation mechanism. Specifically, the system performs DNS resolution separately from the subsequent HTTP request, creating a window where an attacker-controlled DNS server can return different IP addresses during validation and request phases. This discrepancy enables DNS rebinding attacks, effectively bypassing the SSRF protections implemented to block access to certain IP ranges, including internal and blocked IPs. This vulnerability is a regression or bypass of the earlier fix for CVE-2025-68437, extending the bypass to all blocked IPs rather than just IPv6 endpoints. To exploit this flaw, an attacker must have GraphQL schema permissions that allow editing or creating assets within a specified volume. These permissions may be granted to authenticated users or, in cases of misconfiguration, to public schemas with write access. The vulnerability affects Craft CMS versions from 4.5.0-RC1 up to but not including 4.16.19, and from 5.0.0-RC1 up to but not including 5.8.23, where patches have been applied. The CVSS 4.0 vector indicates network attack vector, high complexity, partial privileges required, no user interaction, and high impact on confidentiality, with no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date.

This vulnerability allows attackers with specific GraphQL permissions to bypass SSRF protections and access internal or otherwise blocked IP addresses, potentially exposing sensitive internal services, metadata endpoints, or administrative interfaces not intended for external access. The ability to perform DNS rebinding attacks can lead to unauthorized data disclosure, reconnaissance, and potentially lateral movement within an organization's internal network. Since exploitation requires authenticated access with asset editing or creation permissions, the risk is elevated in environments where such permissions are granted broadly or where public schemas are misconfigured to allow write access. Organizations using affected Craft CMS versions may face confidentiality breaches, especially if internal services contain sensitive information or control interfaces. The vulnerability does not directly impact data integrity or availability but can be a stepping stone for further attacks. The high CVSS score reflects the significant confidentiality impact and the complexity of exploitation, which requires some privileges but no user interaction.

Organizations should immediately upgrade Craft CMS installations to versions 4.16.19 or 5.8.23 or later, where the vulnerability is patched. Review and tighten GraphQL schema permissions to ensure that only trusted, authenticated users have asset editing or creation rights, and avoid granting write permissions to public schemas. Implement strict network segmentation and firewall rules to limit access to internal services from the CMS server. Monitor GraphQL API usage for unusual asset mutation requests, especially from less trusted users. Consider deploying DNS security measures such as DNS filtering or DNSSEC validation to reduce the risk of DNS rebinding attacks. Additionally, conduct regular audits of CMS configurations and permissions to detect and remediate misconfigurations that could facilitate exploitation. Employ runtime application self-protection (RASP) or Web Application Firewalls (WAFs) with rules targeting SSRF and DNS rebinding patterns to provide additional defense layers.