Statamic CMS, a Laravel and Git-powered content management system, contains a Server-Side Request Forgery (SSRF) vulnerability identified as CVE-2026-28423. This vulnerability arises when the Glide image manipulation feature is enabled in insecure mode, which is not the default configuration. In this mode, the image proxy functionality can be manipulated by unauthenticated attackers to force the server to send HTTP requests to arbitrary URLs. Attackers can exploit this by crafting URLs directly or leveraging the watermark feature to induce the server to make requests to internal network resources, cloud metadata endpoints (such as AWS or Azure metadata services), or other hosts accessible from the server environment. This can lead to unauthorized disclosure of sensitive internal information. The vulnerability affects Statamic CMS versions below 5.73.11 and versions from 6.0.0 up to but not including 6.4.0. The flaw has been addressed in versions 5.73.11 and 6.4.0 by securing the Glide image proxy to prevent SSRF exploitation. The CVSS 3.1 base score is 6.8, reflecting medium severity, with the vector indicating network attack vector, high attack complexity, no privileges required, no user interaction, scope changed, high confidentiality impact, and no integrity or availability impact. No known exploits have been reported in the wild as of the publication date.

The primary impact of this SSRF vulnerability is the potential unauthorized access to internal network resources and cloud metadata endpoints, which can lead to significant confidentiality breaches. Attackers could retrieve sensitive information such as internal IP addresses, configuration data, or cloud instance credentials from metadata services, enabling further attacks like privilege escalation or lateral movement within the network. Since the vulnerability does not require authentication or user interaction, it poses a risk to any exposed Statamic CMS instance configured with insecure Glide mode. However, the attack complexity is high due to the need for insecure mode activation, which is not the default, somewhat limiting widespread exploitation. Organizations using affected Statamic CMS versions in environments with sensitive internal services or cloud infrastructure are at elevated risk. The vulnerability does not directly impact data integrity or system availability but can be a stepping stone for more severe attacks.

Organizations should immediately upgrade Statamic CMS to version 5.73.11 or 6.4.0 or later, where the SSRF vulnerability has been fixed. If upgrading is not immediately possible, administrators should ensure that the Glide image manipulation feature is not configured in insecure mode, as this is the prerequisite for exploitation. Network-level controls should be implemented to restrict outbound HTTP requests from the CMS server to only trusted destinations, preventing unauthorized internal or cloud metadata endpoint access. Additionally, monitoring and logging of outbound requests from the CMS server can help detect suspicious SSRF attempts. Employing web application firewalls (WAFs) with SSRF detection rules can provide an additional layer of defense. Finally, review and restrict access to cloud metadata services using cloud provider-specific controls (e.g., IMDSv2 for AWS) to reduce the risk of metadata exposure.