CVE-2026-27127
Received Received - Intake
TOCTOU SSRF Vulnerability in Craft CMS GraphQL Asset Mutation

Publication date: 2026-02-24

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27127
EUVD
EUVD-2026-7402
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms 3.5.0
craftcms craft_cms From 3.5.1 (inc) to 4.16.19 (exc)
craftcms craft_cms From 5.0.1 (inc) to 5.8.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-27127 is a Server-Side Request Forgery (SSRF) protection bypass vulnerability in Craft CMS’s GraphQL Asset mutation. It arises from a Time-of-Check-Time-of-Use (TOCTOU) race condition caused by separate DNS resolutions during validation and the actual HTTP request.'}, {'type': 'paragraph', 'content': "During validation, the system uses PHP's gethostbyname() to resolve the hostname and check if the IP is within a blocked set of cloud metadata IP addresses. However, the actual HTTP request later performs a second DNS resolution independently using Guzzle/libcurl."}, {'type': 'paragraph', 'content': 'An attacker controlling a malicious DNS server can exploit this by returning a safe IP address during validation and a blocked cloud metadata IP address during the request. This DNS rebinding attack bypasses SSRF protections, allowing access to sensitive cloud metadata endpoints and retrieval of credentials such as IAM roles or service account tokens.'}, {'type': 'paragraph', 'content': 'Exploitation requires GraphQL schema permissions to edit or create assets in a volume, which may be granted to authenticated users or misconfigured public schemas. The root cause is the TOCTOU vulnerability from two separate DNS lookups returning different IPs.'}] [1]

Impact Analysis

This vulnerability can allow an attacker to bypass SSRF protections and access sensitive internal cloud metadata services from the Craft CMS server.

By exploiting this, an attacker can retrieve credentials such as IAM roles, service account tokens, or instance identity documents from cloud providers like AWS, GCP, Azure, Alibaba Cloud, and Oracle Cloud.

With these credentials, the attacker could execute arbitrary code, for example by launching new instances with injected SSH keys, potentially leading to full compromise of cloud infrastructure.

The vulnerability requires specific GraphQL permissions, but if those are granted or misconfigured, the impact can be severe, including unauthorized access and control over cloud resources.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves monitoring for suspicious DNS rebinding activity and unauthorized access attempts to cloud metadata IP addresses such as 169.254.169.254 or other known internal IPs used by cloud providers.

Since the vulnerability exploits a Time-of-Check-Time-of-Use (TOCTOU) race condition with separate DNS resolutions, network detection can focus on identifying DNS queries that resolve to different IP addresses for the same hostname within a short time frame.

You can use network monitoring tools or packet capture utilities like tcpdump or Wireshark to observe DNS traffic and HTTP requests from your Craft CMS server.

  • Use tcpdump to capture DNS queries and responses: tcpdump -i <interface> port 53 -w dns_traffic.pcap
  • Analyze captured DNS traffic with Wireshark to check for DNS rebinding patterns (multiple IPs returned for the same hostname).
  • Monitor HTTP requests from the server to internal IP ranges (e.g., 169.254.169.254) using commands like: sudo netstat -anp | grep <craft_cms_process> or sudo lsof -i -n -P | grep <craft_cms_process>

Additionally, reviewing application logs for GraphQL asset mutation requests from authenticated users with permissions to edit or create assets may help identify exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include upgrading Craft CMS to a patched version: 4.16.19 or later for the 4.x series, or 5.8.23 or later for the 5.x series.

If upgrading immediately is not possible, apply the following mitigations:

  • Implement DNS pinning by resolving hostnames once during validation and forcing HTTP requests to use the same resolved IP address via options like CURLOPT_RESOLVE in libcurl.
  • Enforce network egress filtering to block outgoing requests to known cloud metadata IP addresses such as 169.254.169.254, 169.254.170.2, 100.100.100.200, and 192.0.0.192.
  • Enforce IMDSv2 (Instance Metadata Service version 2) on cloud instances to require token headers for metadata access, reducing risk if SSRF occurs.
  • Review and restrict GraphQL schema permissions to ensure only trusted users have asset editing or creation rights.

The official patch strengthens hostname and IP validation during asset uploads to prevent SSRF by blocking requests to internal or cloud metadata IPs and hostnames.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27127. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart