CVE-2026-27129 is a medium-severity SSRF vulnerability affecting Craft CMS, a popular content management system. The vulnerability stems from the use of the PHP function gethostbyname() in the GraphQL Asset mutation SSRF validation logic. This function only resolves IPv4 addresses and returns the hostname string unchanged if only IPv6 (AAAA) DNS records exist. Consequently, the blocklist check designed to prevent SSRF attacks fails because it compares the hostname string rather than a resolved IP address, allowing attackers to bypass SSRF protections entirely. This vulnerability is a bypass of a previous fix (CVE-2025-68437). To exploit this issue, an attacker must have GraphQL schema permissions that allow editing and creating assets within a specific volume, which may be granted to authenticated users or through misconfigured public schemas with write permissions. Successful exploitation could enable attackers to make unauthorized server-side requests, potentially accessing internal services or sensitive data. The vulnerability affects Craft CMS versions from 4.5.0-RC1 up to but not including 4.16.19, and 5.0.0-RC1 up to but not including 5.8.23, where patches have been applied. No known exploits are currently reported in the wild.

The SSRF vulnerability in Craft CMS can allow attackers with certain GraphQL permissions to bypass SSRF protections and make arbitrary HTTP requests from the server. This can lead to unauthorized access to internal network resources, potentially exposing sensitive data or enabling further attacks such as internal port scanning, accessing metadata services in cloud environments, or exploiting other internal vulnerabilities. Organizations using affected versions of Craft CMS that expose GraphQL APIs with asset mutation permissions are at risk. The impact is particularly significant if public or poorly restricted GraphQL schemas exist, as this could allow unauthenticated or low-privilege attackers to exploit the vulnerability. While the vulnerability does not allow remote code execution directly, the SSRF can be a stepping stone for more severe attacks. The medium CVSS score reflects the moderate difficulty of exploitation due to required permissions and the potential impact on confidentiality and integrity of internal resources.

Organizations should immediately upgrade Craft CMS to versions 4.16.19 or 5.8.23 or later, where this vulnerability is patched. In addition to patching, administrators should audit GraphQL schema permissions to ensure that only trusted and authenticated users have asset editing and creation rights, especially in public schemas. Restrict or disable public GraphQL schemas with write permissions to prevent unauthorized access. Implement network-level controls such as firewall rules to limit outbound HTTP requests from the CMS server to only necessary destinations, reducing the impact of SSRF exploitation. Monitoring and logging GraphQL API usage can help detect suspicious activity related to asset mutations. Finally, consider implementing additional SSRF protections that correctly handle both IPv4 and IPv6 DNS resolutions to prevent similar bypasses in the future.