CVE-2026-27129: CWE-918: Server-Side Request Forgery (SSRF) in craftcms cms
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
AI Analysis
Technical Summary
CVE-2026-27129 is a Server-Side Request Forgery (SSRF) vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in the GraphQL Asset mutation functionality, which includes SSRF validation to prevent unauthorized internal or external network requests. The validation mechanism uses the PHP function gethostbyname() to resolve hostnames to IP addresses, but this function only supports IPv4 resolution. If a hostname resolves exclusively to IPv6 addresses (AAAA DNS records), gethostbyname() returns the hostname string itself instead of an IP address. Consequently, the blocklist comparison designed to detect and block SSRF attempts fails, allowing attackers to bypass SSRF protections. This flaw effectively negates the security fix implemented for CVE-2025-68437. To exploit this vulnerability, an attacker must have GraphQL schema permissions that allow editing or creating assets within specific volumes, which may be granted to authenticated users or misconfigured public schemas with write access. The vulnerability affects Craft CMS versions from 4.5.0-RC1 up to but not including 4.16.19, and from 5.0.0-RC1 up to but not including 5.8.23, where patches have been applied. The CVSS 5.7 score indicates a medium severity level, reflecting the moderate complexity of exploitation and the requirement for some privileges but no user interaction. No known exploits have been reported in the wild as of the publication date.
Potential Impact
This SSRF vulnerability can allow attackers with certain GraphQL permissions to make unauthorized requests from the server to internal or external systems, potentially accessing sensitive internal resources, metadata services, or other protected network segments. The ability to bypass SSRF protections using IPv6-only hostnames increases the attack surface, especially in environments where IPv6 is prevalent. This could lead to data exposure, unauthorized internal network scanning, or pivoting attacks within an organization's infrastructure. Since exploitation requires authenticated access with specific permissions, the risk is higher in environments with misconfigured or overly permissive GraphQL schemas, including public schemas with write access. Organizations using vulnerable Craft CMS versions may face increased risk of internal network compromise, data leakage, and potential disruption of services if attackers leverage this flaw.
Mitigation Recommendations
Organizations should immediately upgrade Craft CMS to versions 4.16.19 or 5.8.23 or later, where this vulnerability is patched. Review and tighten GraphQL schema permissions to ensure that only trusted and necessary users have asset editing or creation rights, especially in public schemas. Disable or restrict public GraphQL schemas with write permissions to minimize exposure. Implement network-level controls to limit outbound requests from the CMS server to only trusted destinations, reducing the impact of SSRF exploitation. Monitor logs for unusual GraphQL asset mutation activity, particularly requests involving IPv6 hostnames or unexpected external domains. Conduct regular audits of DNS configurations and internal network services to identify potential targets of SSRF attacks. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block SSRF patterns, including those involving IPv6 addresses. Finally, educate development and operations teams about the risks of SSRF and the importance of proper input validation and permission management in GraphQL APIs.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, Japan, South Korea, India
CVE-2026-27129: CWE-918: Server-Side Request Forgery (SSRF) in craftcms cms
Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-27129 is a Server-Side Request Forgery (SSRF) vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in the GraphQL Asset mutation functionality, which includes SSRF validation to prevent unauthorized internal or external network requests. The validation mechanism uses the PHP function gethostbyname() to resolve hostnames to IP addresses, but this function only supports IPv4 resolution. If a hostname resolves exclusively to IPv6 addresses (AAAA DNS records), gethostbyname() returns the hostname string itself instead of an IP address. Consequently, the blocklist comparison designed to detect and block SSRF attempts fails, allowing attackers to bypass SSRF protections. This flaw effectively negates the security fix implemented for CVE-2025-68437. To exploit this vulnerability, an attacker must have GraphQL schema permissions that allow editing or creating assets within specific volumes, which may be granted to authenticated users or misconfigured public schemas with write access. The vulnerability affects Craft CMS versions from 4.5.0-RC1 up to but not including 4.16.19, and from 5.0.0-RC1 up to but not including 5.8.23, where patches have been applied. The CVSS 5.7 score indicates a medium severity level, reflecting the moderate complexity of exploitation and the requirement for some privileges but no user interaction. No known exploits have been reported in the wild as of the publication date.
Potential Impact
This SSRF vulnerability can allow attackers with certain GraphQL permissions to make unauthorized requests from the server to internal or external systems, potentially accessing sensitive internal resources, metadata services, or other protected network segments. The ability to bypass SSRF protections using IPv6-only hostnames increases the attack surface, especially in environments where IPv6 is prevalent. This could lead to data exposure, unauthorized internal network scanning, or pivoting attacks within an organization's infrastructure. Since exploitation requires authenticated access with specific permissions, the risk is higher in environments with misconfigured or overly permissive GraphQL schemas, including public schemas with write access. Organizations using vulnerable Craft CMS versions may face increased risk of internal network compromise, data leakage, and potential disruption of services if attackers leverage this flaw.
Mitigation Recommendations
Organizations should immediately upgrade Craft CMS to versions 4.16.19 or 5.8.23 or later, where this vulnerability is patched. Review and tighten GraphQL schema permissions to ensure that only trusted and necessary users have asset editing or creation rights, especially in public schemas. Disable or restrict public GraphQL schemas with write permissions to minimize exposure. Implement network-level controls to limit outbound requests from the CMS server to only trusted destinations, reducing the impact of SSRF exploitation. Monitor logs for unusual GraphQL asset mutation activity, particularly requests involving IPv6 hostnames or unexpected external domains. Conduct regular audits of DNS configurations and internal network services to identify potential targets of SSRF attacks. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block SSRF patterns, including those involving IPv6 addresses. Finally, educate development and operations teams about the risks of SSRF and the importance of proper input validation and permission management in GraphQL APIs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-02-17T18:42:27.043Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 699d14d8be58cf853b182c4e
Added to database: 2/24/2026, 3:02:48 AM
Last enriched: 3/3/2026, 6:46:35 PM
Last updated: 4/10/2026, 10:17:27 PM
Views: 54
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.