Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
Published: 2026-02-24
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery Bypass
Action: Apply Patch
AI Analysis

Impact

Craft CMS’s GraphQL Asset mutation uses gethostbyname() to validate hostnames, resolving only IPv4 addresses, an oversight identified as CWE-918. When a hostname offers only AAAA (IPv6) records, gethostbyname() returns the hostname string itself, causing the blocklist comparison to fail and the SSRF protection to be bypassed. This flaw is a direct bypass of the fix for CVE-2025-68437 and allows a malicious request to reach internal or cloud‑metadata services that the server can access.

Affected Systems

Craft CMS versions 4.5.0‑RC1 through 4.16.18 and 5.0.0‑RC1 through 5.8.22 are affected. The vulnerability applies to the GraphQL Asset mutation endpoint and requires the same product and version identifiers used in the CWE‑918 listing.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate severity, while the EPSS score of less than 1% shows a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, yet it can be abused by anyone who has GraphQL schema permissions to edit or create assets in an authenticated or misconfigured public schema. The attack requires only the ability to send a GraphQL mutation, which is often available to authenticated users with asset‑management privileges.

Generated by OpenCVE AI on April 18, 2026 at 10:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Craft CMS patch (version 4.16.19 or later, or 5.8.23 or later) to correct the SSRF validation logic.
  • Restrict GraphQL asset mutation permissions so that only users who truly need to create or edit assets have write access, and remove such permissions from any public GraphQL schema.
  • If an immediate patch is not possible, implement an interim check that rejects hostnames resolving only to IPv6 addresses and enforce a manual blocklist comparison against known internal or cloud‑metadata endpoints.

Generated by OpenCVE AI on April 18, 2026 at 10:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v2gc-rm6g-wrw9 Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
History

Mon, 02 Mar 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

Sat, 28 Feb 2026 03:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Feb 2026 03:00:00 +0000

Type Values Removed Values Added
Description Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
Title Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-28T02:17:18.957Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27129

cve-icon Vulnrichment

Updated: 2026-02-28T02:17:13.721Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-24T03:16:02.807

Modified: 2026-03-02T20:35:37.990

Link: CVE-2026-27129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:00:05Z

Weaknesses