Login Sign Up

CVE-2026-27127

6.3 MEDIUM
SSRF

📋 TL;DR

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in Craft CMS's GraphQL Asset mutation that allows DNS rebinding attacks. Attackers can bypass IP restrictions by manipulating DNS responses between validation and actual request phases. Affected systems include Craft CMS versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22.

💻 Affected Systems

Products:
  • Craft CMS
Versions: 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires GraphQL schema permissions for editing assets in specific volumes. Public Schema with write permissions increases attack surface.

📦 What is this software?

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

Craft Cms by Craftcms

View all CVEs affecting Craft Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers with GraphQL permissions can access internal network resources, potentially leading to data exfiltration, internal service enumeration, or further network compromise.

🟠

Likely Case

Authenticated users with asset editing permissions can bypass IP restrictions to access blocked internal endpoints, potentially exposing sensitive internal services.

🟢

If Mitigated

With proper GraphQL permission controls and network segmentation, impact is limited to accessing only authorized internal resources.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access with specific GraphQL permissions and control over DNS responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.16.19 and 5.8.23

Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx

Restart Required: No

Instructions:

1. Update Craft CMS to version 4.16.19 or 5.8.23. 2. Verify the update completed successfully. 3. Test GraphQL asset functionality.

🔧 Temporary Workarounds

Restrict GraphQL Permissions

all

Limit GraphQL schema access and remove write permissions from Public Schema if not needed.

Network Segmentation

all

Implement network controls to restrict outbound HTTP requests from CMS servers.

🧯 If You Can't Patch

  • Review and restrict GraphQL permissions to minimum required
  • Implement network egress filtering and monitor for unusual outbound requests

🔍 How to Verify

Check if Vulnerable:

Check Craft CMS version in admin panel or via composer show craftcms/cms

Check Version:

composer show craftcms/cms | grep version

Verify Fix Applied:

Confirm version is 4.16.19+ or 5.8.23+ and test GraphQL asset mutations with restricted IPs

📡 Detection & Monitoring

Log Indicators:

  • Unusual GraphQL asset mutation requests
  • Requests to internal IP addresses from CMS

Network Indicators:

  • Outbound HTTP requests to internal IP ranges from CMS server
  • DNS queries followed by HTTP requests to different IPs

SIEM Query:

source="craft-cms" AND ("GraphQL" OR "asset mutation") AND ("internal" OR "192.168" OR "10." OR "172.16")

📊 Metadata

CVE ID: CVE-2026-27127
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-367
Published: February 24, 2026
Last Updated: February 25, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-27127, you might also want to check these:

CVE-2026-25641 10.0

CVE-2026-25641 is a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attack...

Same vulnerability type (CWE-367)
CVE-2025-64180 10.0

A critical TOCTOU vulnerability in Manager accounting software allows attackers to bypass DNS valida...

Same vulnerability type (CWE-367)
CVE-2025-13032 9.9

A double fetch vulnerability in the sandbox kernel driver of Avast/AVG Antivirus on Windows allows l...

Same vulnerability type (CWE-367)