CVE-2026-41129
Received Received - Intake
Server-Side Request Forgery in Craft CMS GraphQL Assets Permissions

Publication date: 2026-04-22

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41129
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
craftcms craft_cms to 4.17.8 (inc)
craftcms craft_cms to 5.9.14 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41129 is a Server-Side Request Forgery (SSRF) vulnerability affecting Craft CMS versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14. This vulnerability can be exploited if certain permissions are enabled in the GraphQL schema, specifically the permissions to "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." The issue was fixed in versions 4.17.9 and 5.9.15.

Impact Analysis

This SSRF vulnerability allows an attacker with the required GraphQL permissions to make unauthorized server-side requests. This could potentially lead to unauthorized access to internal resources, data exposure, or other security risks depending on the server environment and configuration.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Craft CMS to version 4.17.9 or later if you are on the 4.x branch, or to version 5.9.15 or later if you are on the 5.x branch.

Additionally, review and restrict permissions in your GraphQL schema, specifically the permissions "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume," as these are required for exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41129. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart