Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: SSRF Bypass
Action: Patch
AI Analysis

Impact

Craft CMS versions 4.5.0‑RC1 through 4.16.18 and 5.0.0‑RC1 through 5.8.22 contain a time‑of‑check time‑of‑use flaw in the GraphQL Asset mutation. The validation routine resolves a DNS name before sending the HTTP request, allowing an attacker to serve the name with one IP during validation and a different IP during the actual request. This DNS rebinding bypasses the SSRF protection that had targeted only IPv6 endpoints in a prior fix, enabling a published SSRF vulnerability to reach any internal host or cloud metadata service.

Affected Systems

The affected product is Craft CMS, with impacted releases from the listed 4.* and 5.* branches. Versions earlier than 4.16.19 and 5.8.23 are vulnerable, while patch versions 4.16.19 and 5.8.23 contain the necessary remediation. The issue is relevant to sites that expose the GraphQL API and assign asset‑mutation rights to users or misconfigure the public schema with write capabilities.

Risk and Exploitability

The CVSS score of 7.0 indicates high severity, yet the EPSS score remains below 1 % and the vulnerability is not yet in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that an attacker can use the GraphQL asset mutation to edit or create assets in a volume; for many installations this privilege is granted to authenticated users or public schema users when misconfigured. Given the TOCTOU nature of the flaw, a successful attack could grant internal network reconnaissance or the ability to reach cloud metadata services, potentially exposing sensitive tokens or enabling further lateral movement.

Generated by OpenCVE AI on April 16, 2026 at 16:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.16.19 or 5.8.23, which includes the SSRF protection fix.
  • Restrict GraphQL schema permissions so that only authorized authenticated users can perform asset mutation operations, and ensure the public schema does not allow write access to assets.
  • If an immediate upgrade is not possible, block internal IP ranges or DNS rebinding by restricting outbound DNS queries or by configuring a firewall to limit outbound connections originating from the CMS server.

Generated by OpenCVE AI on April 16, 2026 at 16:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gp2f-7wcm-5fhx Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
History

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:3.5.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
Title Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
Weaknesses CWE-367
References
Metrics cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-28T02:12:36.723Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27127

cve-icon Vulnrichment

Updated: 2026-02-28T02:12:32.548Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:02.440

Modified: 2026-02-25T19:31:05.077

Link: CVE-2026-27127

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T16:30:15Z

Weaknesses