CVE-2026-27129
SSRF Bypass in Craft CMS GraphQL Asset Mutation via IPv6 Handling
Publication date: 2026-02-24
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | 5.0.0 |
| craftcms | craft_cms | From 5.0.1 (inc) to 5.8.23 (exc) |
| craftcms | craft_cms | From 3.5.0 (inc) to 4.16.19 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27129 is a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS's GraphQL Asset mutation. The vulnerability arises because the SSRF validation uses PHP's gethostbyname() function, which only resolves IPv4 addresses. When a hostname has only IPv6 (AAAA) DNS records and no IPv4 record, gethostbyname() returns the hostname string unchanged instead of an IP address. This causes the blocklist comparison to fail, allowing attackers to bypass SSRF protections."}, {'type': 'paragraph', 'content': 'Attackers with GraphQL schema permissions to edit and create assets in a volume can exploit this by submitting specially crafted hostnames that resolve only to IPv6 addresses of internal cloud metadata services (such as AWS IMDS or Google Cloud metadata). Because the validation does not properly check IPv6 addresses, the server fetches content from these internal services, exposing sensitive credentials.'}, {'type': 'paragraph', 'content': 'The issue is a bypass of a previous SSRF fix (CVE-2025-68437) and is patched in Craft CMS versions 4.16.19 and 5.8.23.'}] [2, 3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to internal network resources and cloud metadata services. Exploiting it allows attackers to retrieve sensitive information such as AWS IAM role names and credentials from internal metadata endpoints.
With stolen credentials, attackers can gain elevated access to cloud services, potentially launching new instances with attacker-controlled SSH keys, leading to full infrastructure compromise.
Additionally, attackers can perform network reconnaissance, bypass firewall restrictions, and exfiltrate sensitive internal data by leveraging the SSRF vulnerability through the GraphQL asset upload functionality.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying whether your Craft CMS instance is running a vulnerable version (4.5.0-RC1 through 4.16.18 or 5.0.0-RC1 through 5.8.22) and if GraphQL schema permissions allow editing and creating assets in volumes.
You can attempt to detect exploitation by monitoring GraphQL mutation requests that attempt to save assets with URLs pointing to internal or cloud metadata service endpoints, especially those using IPv6-only hostnames that bypass IPv4-based blocklists.
Suggested commands or approaches include:
- Review web server or application logs for GraphQL mutations like `save_<VolumeName>_Asset` with URLs targeting internal IPs or metadata endpoints.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outgoing HTTP requests from the CMS server to suspicious internal IP addresses or IPv6 addresses matching prefixes such as `fd00:ec2::`, `fd20:ce::`, or link-local addresses.
- Query DNS records for suspicious hostnames used in asset URLs to check if they resolve only to IPv6 addresses, which could indicate attempts to bypass IPv4-based SSRF protections.
- Example command to monitor HTTP requests on the server (replace interface and ports as needed): `tcpdump -i eth0 -nn port 80 or port 443`
- Example to check DNS records for a suspicious hostname: `dig AAAA suspicious-hostname.example.com`
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Craft CMS to a patched version that addresses this vulnerability.
- Upgrade Craft CMS to version 4.16.19 or later, or 5.8.23 or later, where the SSRF validation properly handles IPv6 addresses and blocks internal metadata service prefixes.
- Restrict GraphQL schema permissions to prevent unauthorized users from having asset editing and creation rights, especially in public schemas.
- Block or restrict access to internal cloud metadata service IP ranges and IPv6 prefixes at the network or firewall level, including prefixes like `fd00:ec2::`, `fd20:ce::`, `::1`, and `fe80:`.
- Disable or block wildcard DNS services such as nip.io, sslip.io, and xip.io to prevent attackers from using these domains for SSRF bypass.
These steps help prevent exploitation by ensuring proper IP validation, limiting permissions, and reducing attack surface.