Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
Published: 2026-02-09
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server Side Request Forgery
Action: Patch Immediately
AI Analysis

Impact

The vulnerability exists in Craft CMS’s GraphQL saveAsset mutation, which uses a standard IP validation function that mistakenly rejects legitimate IP addresses in hexadecimal or mixed notation. Attackers can exploit this oversight to inject URLs that bypass the blocklist and reach internal cloud metadata services, potentially exposing sensitive system information.

Affected Systems

Craft CMS versions 4.0.0‑RC1 through 4.16.17 and 5.0.0‑RC1 through 5.8.21 are affected. Versions 4.16.18 and 5.8.22 contain the patch that corrects the validation logic.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.9, indicating moderate severity. The EPSS score is below 1 %, suggesting a low but non‑zero possibility of exploitation. It is not currently listed in CISA’s KEV catalog. Based on the description, it is inferred that exploitation requires authenticated access to the GraphQL API and involves using alternative IP notation to bypass the server’s address filter, enabling access to internal metadata endpoints.

Generated by OpenCVE AI on April 18, 2026 at 18:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Craft CMS update (4.16.18 or later, or 5.8.22 or later).
  • Configure the GraphQL service to restrict access to authenticated users only.
  • If an immediate update is not possible, block outbound traffic to known internal metadata service endpoints to mitigate potential data leakage.

Generated by OpenCVE AI on April 18, 2026 at 18:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5r2-8p9x-hp5m Craft CMS Vulnerable to SSRF in GraphQL Asset Mutation via Alternative IP Notation
History

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 09 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Description Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
Title Craft has a SSRF in GraphQL Asset Mutation via Alternative IP Notation
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:00:28.753Z

Reserved: 2026-02-02T16:31:35.824Z

Link: CVE-2026-25494

cve-icon Vulnrichment

Updated: 2026-02-10T15:39:50.132Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T20:15:57.937

Modified: 2026-02-19T19:17:44.850

Link: CVE-2026-25494

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:15:06Z

Weaknesses