Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.
Published: 2026-02-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery via GraphQL Asset Mutation
Action: Patch
AI Analysis

Impact

Craft CMS allows attackers to inject a URL into the saveAsset GraphQL mutation. The application validates the target hostname and resolved IP against a blacklist, but the underlying Guzzle HTTP client follows redirects by default. An attacker can thus place a redirect that points to cloud metadata or internal IP addresses, bypassing all SSRF safeguards and enabling remote server side request forgery, data exfiltration, or privilege escalation.

Affected Systems

All Craft CMS releases from 4.0.0‑RC1 to 4.16.17 and from 5.0.0‑RC1 to 5.8.21 are vulnerable. The issue is fixed in 4.16.18 and 5.8.22.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, while the EPSS score below 1% shows a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need control over a GraphQL request to the application; once someone runs the malicious mutation, the server’s HTTP client will follow the redirect and access the target internal resource.

Generated by OpenCVE AI on April 17, 2026 at 21:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to a patched release (4.16.18 or newer, or 5.8.22 or newer).
  • Configure the Guzzle HTTP client used in asset uploads to disable automatic redirection so that the host and IP checks are enforced.
  • Restrict the GraphQL Asset Mutation endpoint to only allow URLs that resolve to trusted domains or IP ranges, and block internal or cloud metadata endpoints.

Generated by OpenCVE AI on April 17, 2026 at 21:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8jr8-7hr4-vhfx Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via HTTP Redirect
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 09 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.
Title Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:35.771Z

Reserved: 2026-02-02T16:31:35.823Z

Link: CVE-2026-25493

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:51.551Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:57.793

Modified: 2026-02-19T19:20:06.863

Link: CVE-2026-25493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:30:28Z

Weaknesses