CVE-2026-45660
Received Received - Intake
SSRF in Statamic via Glide Image Proxy

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: GitHub, Inc.

Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses β€” including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-05-29
AI Q&A
2026-05-29
EPSS Evaluated
N/A
NVD
CVE-2026-45660
EUVD
EUVD-2026-33365
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
statamic statamic to 5.73.22 (inc)
statamic statamic to 6.18.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Statamic's Glide image proxy URL validation. Before versions 5.73.22 and 6.18.1, the system did not properly normalize IP representations before checking if the IP was public. This allowed an unauthenticated user to bypass the URL validation and cause the server to make HTTP requests to internal addresses, such as loopback, private network, and cloud metadata endpoints.

The issue affects sites that pass user-supplied URLs to Glide and is not present in sites running PHP 8.3 or newer. The vulnerability was fixed in Statamic versions 5.73.22 and 6.18.1.


How can this vulnerability impact me? :

An attacker who exploits this vulnerability can make the server perform HTTP requests to internal network addresses without authentication. This can lead to unauthorized access to internal services, exposure of sensitive internal information, or interaction with cloud metadata endpoints that may contain credentials or configuration data.

Because the attacker can reach internal resources, this could facilitate further attacks such as information disclosure or lateral movement within the network.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Statamic to version 5.73.22 or later, or 6.18.1 or later, where the Glide image proxy's URL validation issue has been fixed.

Additionally, if your environment is running PHP 8.3 or newer, your system is not affected by this vulnerability.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart