CVE-2026-28423 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Statamic content management system (CMS), which is built on Laravel and integrates Git for content management. The vulnerability arises when the Glide image manipulation feature is configured in insecure mode, a non-default setting. In this mode, the image proxy functionality can be manipulated by an unauthenticated attacker to force the server to initiate HTTP requests to arbitrary URLs. This can be exploited either directly through the URL or indirectly via the watermark feature. SSRF vulnerabilities allow attackers to bypass network restrictions and access internal services that are otherwise unreachable externally, such as internal APIs, cloud provider metadata endpoints (e.g., AWS, Azure, GCP), or other sensitive internal resources. The affected versions include all Statamic CMS releases prior to 5.73.11 and versions from 6.0.0 up to but not including 6.4.0. The vulnerability does not require any authentication or user interaction, increasing its risk profile. However, exploitation requires the insecure Glide mode to be enabled, which is not the default configuration, somewhat limiting the attack surface. The vulnerability has been assigned a CVSS v3.1 base score of 6.8, reflecting a medium severity level, primarily due to the high confidentiality impact but no direct impact on integrity or availability. No known exploits in the wild have been reported to date. The issue was addressed in Statamic versions 5.73.11 and 6.4.0 by securing the image proxy functionality to prevent arbitrary URL requests. Organizations using affected versions should upgrade promptly and verify that insecure Glide mode is disabled if upgrading is not immediately feasible.

The primary impact of this SSRF vulnerability is the potential exposure of sensitive internal resources to unauthenticated attackers. By exploiting this flaw, attackers can access internal services that are normally protected by network segmentation or firewalls, such as internal APIs, administrative interfaces, or cloud metadata endpoints that often contain credentials or configuration data. This can lead to unauthorized disclosure of sensitive information, including credentials, tokens, or configuration details, which can be leveraged for further attacks such as privilege escalation or lateral movement within the network. While the vulnerability does not directly affect data integrity or system availability, the confidentiality breach can have severe consequences, especially in cloud environments where metadata endpoints provide access to instance credentials. Organizations using Statamic CMS in environments with sensitive internal services or cloud infrastructure are at higher risk. The lack of authentication requirement and the ability to trigger requests remotely increase the threat level. However, the requirement for insecure Glide mode to be enabled reduces the overall attack surface, limiting exposure to misconfigured deployments. The absence of known exploits in the wild suggests limited active exploitation currently, but the vulnerability remains a significant risk if left unpatched.

1. Upgrade Statamic CMS to version 5.73.11 or later, or 6.4.0 or later, as these versions contain the fix for this SSRF vulnerability. 2. If immediate upgrade is not possible, ensure that the Glide image manipulation feature is not configured in insecure mode, as this mode enables the vulnerability. 3. Implement network-level controls to restrict the CMS server’s ability to make outbound HTTP requests to internal or sensitive endpoints, such as cloud metadata services. 4. Employ web application firewalls (WAFs) with rules designed to detect and block SSRF attack patterns targeting image proxy endpoints. 5. Conduct regular security audits and configuration reviews to verify that insecure features are disabled and that the CMS is running supported, patched versions. 6. Monitor logs for unusual outbound HTTP requests originating from the CMS server, which may indicate attempted exploitation. 7. Educate development and operations teams about the risks of enabling insecure modes in CMS features and enforce secure configuration baselines. 8. Consider isolating the CMS server in a network segment with limited access to internal services to reduce potential impact if exploited.