CVE-2026-27129
Received Received - Intake
SSRF Bypass in Craft CMS GraphQL Asset Mutation via IPv6 Handling

Publication date: 2026-02-24

Last updated on: 2026-03-02

Assigner: GitHub, Inc.

Description
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-24
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-24
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27129
EUVD
EUVD-2026-7400
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
craftcms craft_cms 5.0.0
craftcms craft_cms 5.0.0
craftcms craft_cms From 5.0.1 (inc) to 5.8.23 (exc)
craftcms craft_cms From 3.5.0 (inc) to 4.16.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27129 is a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS's GraphQL Asset mutation. The vulnerability arises because the SSRF validation uses PHP's gethostbyname() function, which only resolves IPv4 addresses. When a hostname has only IPv6 (AAAA) DNS records and no IPv4 record, gethostbyname() returns the hostname string unchanged instead of an IP address. This causes the blocklist comparison to fail, allowing attackers to bypass SSRF protections."}, {'type': 'paragraph', 'content': 'Attackers with GraphQL schema permissions to edit and create assets in a volume can exploit this by submitting specially crafted hostnames that resolve only to IPv6 addresses of internal cloud metadata services (such as AWS IMDS or Google Cloud metadata). Because the validation does not properly check IPv6 addresses, the server fetches content from these internal services, exposing sensitive credentials.'}, {'type': 'paragraph', 'content': 'The issue is a bypass of a previous SSRF fix (CVE-2025-68437) and is patched in Craft CMS versions 4.16.19 and 5.8.23.'}] [2, 3]

Impact Analysis

This vulnerability can lead to unauthorized access to internal network resources and cloud metadata services. Exploiting it allows attackers to retrieve sensitive information such as AWS IAM role names and credentials from internal metadata endpoints.

With stolen credentials, attackers can gain elevated access to cloud services, potentially launching new instances with attacker-controlled SSH keys, leading to full infrastructure compromise.

Additionally, attackers can perform network reconnaissance, bypass firewall restrictions, and exfiltrate sensitive internal data by leveraging the SSRF vulnerability through the GraphQL asset upload functionality.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying whether your Craft CMS instance is running a vulnerable version (4.5.0-RC1 through 4.16.18 or 5.0.0-RC1 through 5.8.22) and if GraphQL schema permissions allow editing and creating assets in volumes.

You can attempt to detect exploitation by monitoring GraphQL mutation requests that attempt to save assets with URLs pointing to internal or cloud metadata service endpoints, especially those using IPv6-only hostnames that bypass IPv4-based blocklists.

Suggested commands or approaches include:

  • Review web server or application logs for GraphQL mutations like `save_<VolumeName>_Asset` with URLs targeting internal IPs or metadata endpoints.
  • Use network monitoring tools (e.g., tcpdump, Wireshark) to capture outgoing HTTP requests from the CMS server to suspicious internal IP addresses or IPv6 addresses matching prefixes such as `fd00:ec2::`, `fd20:ce::`, or link-local addresses.
  • Query DNS records for suspicious hostnames used in asset URLs to check if they resolve only to IPv6 addresses, which could indicate attempts to bypass IPv4-based SSRF protections.
  • Example command to monitor HTTP requests on the server (replace interface and ports as needed): `tcpdump -i eth0 -nn port 80 or port 443`
  • Example to check DNS records for a suspicious hostname: `dig AAAA suspicious-hostname.example.com`
Mitigation Strategies

Immediate mitigation steps include updating Craft CMS to a patched version that addresses this vulnerability.

  • Upgrade Craft CMS to version 4.16.19 or later, or 5.8.23 or later, where the SSRF validation properly handles IPv6 addresses and blocks internal metadata service prefixes.
  • Restrict GraphQL schema permissions to prevent unauthorized users from having asset editing and creation rights, especially in public schemas.
  • Block or restrict access to internal cloud metadata service IP ranges and IPv6 prefixes at the network or firewall level, including prefixes like `fd00:ec2::`, `fd20:ce::`, `::1`, and `fe80:`.
  • Disable or block wildcard DNS services such as nip.io, sslip.io, and xip.io to prevent attackers from using these domains for SSRF bypass.

These steps help prevent exploitation by ensuring proper IP validation, limiting permissions, and reducing attack surface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart