Description
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.
Published: 2026-04-21
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server-Side Request Forgery
Action: Apply Patch
AI Analysis

Impact

Craft CMS versions up to 4.17.8 on the 4.x branch and 5.9.14 on the 5.x branch contain a Server‑Side Request Forgery vulnerability that enables an attacker to have the application initiate requests from the server to arbitrary URLs. The flaw is exposed through GraphQL asset upload mutations, and requires that the attacker have the "Edit assets" and "Create assets" permissions for a target volume. The vulnerability is classified as CWE‑918 and allows potential exposure of internal resources, data leakage, or attack surface expansion on the server.

Affected Systems

Affected products are Craft CMS on the 4.x and 5.x branches. The vulnerable releases are those dated 4.17.8 or earlier on 4.x, and 5.9.14 or earlier on 5.x. The issue is fixed in 4.17.9 and 5.9.15, respectively.

Risk and Exploitability

The CVSS score of 5.5 indicates a moderate risk, and no EPSS score is reported. The vulnerability is not listed in CISA KEV. Attack requires specific GraphQL permissions that may not be granted to all users, which limits the exposure to environments where those permissions are enabled. A successful exploitation would let a malicious actor explore internal networks from the CMS server, potentially leading to further attacks.

Generated by OpenCVE AI on April 22, 2026 at 06:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.9 or newer, or 5.9.15 or newer, whichever applies to your deployment.
  • Revoke the "Edit assets" and "Create assets" permissions for volumes in the GraphQL schema for all users except those who legitimately need them.
  • If immediate patching is not possible, block or remove the asset upload mutation endpoint from the GraphQL schema to prevent exploitation.

Generated by OpenCVE AI on April 22, 2026 at 06:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.
Title Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Craftcms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T23:34:56.801Z

Reserved: 2026-04-17T12:59:15.737Z

Link: CVE-2026-41129

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-22T00:16:28.733

Modified: 2026-04-22T00:16:28.733

Link: CVE-2026-41129

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:30:15Z

Weaknesses