CVE-2026-54242
Received Received - Intake

DNS Rebinding Bypass in Statamic Glide Image Proxy

Vulnerability report for CVE-2026-54242, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, the Glide image proxy's URL validation in src/Imaging/RemoteUrlValidator.php and src/Imaging/GuzzleAdapter.php could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation and cause the server to make HTTP requests to internal addresses, including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. This issue is fixed in versions 5.73.24 and 6.20.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
statamic statamic to 6.20.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects Statamic, a Laravel and Git powered CMS. It involves a flaw in the Glide image proxy's URL validation where DNS rebinding can bypass checks. The system validates hostnames as publicly routable but resolves them again when fetching images. Attackers can exploit this by rebinding a hostname to an internal address after validation, causing the server to make HTTP requests to internal systems like loopback, private networks, or cloud metadata endpoints. This issue impacts sites passing user-supplied URLs to Glide.

Detection Guidance

Check if your Statamic version is below 5.73.24 or 6.20.1. Inspect network logs for outbound HTTP requests to internal or unexpected addresses from the Glide image proxy. Monitor DNS rebinding attempts targeting your domain.

Impact Analysis

If you use Statamic versions before 5.73.24 or 6.20.1 and pass user-supplied URLs to Glide, an attacker could trick your server into making unauthorized internal HTTP requests. This could expose internal services, leak sensitive data, or allow further attacks on your infrastructure. The impact is limited to servers configured to process such URLs.

Compliance Impact

This vulnerability could lead to unauthorized access to internal systems, potentially exposing personal or sensitive data. This may violate GDPR's data protection principles or HIPAA's security requirements, depending on the data involved. Compliance risks include unauthorized data disclosure and insufficient security measures to protect data.

Mitigation Strategies

Upgrade Statamic to version 5.73.24 or 6.20.1 or later. Disable the Glide image proxy if user-supplied URLs are not required. Restrict outbound network access to prevent internal requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54242. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart