CVE-2026-27129
📋 TL;DR
This CVE describes a Server-Side Request Forgery (SSRF) bypass vulnerability in Craft CMS. The SSRF validation in GraphQL Asset mutations fails to properly validate IPv6 addresses, allowing attackers to bypass protection mechanisms. This affects authenticated users with GraphQL schema permissions for editing assets or systems with misconfigured public schema write permissions.
💻 Affected Systems
- Craft CMS
📦 What is this software?
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
Craft Cms by Craftcms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could make internal network requests to sensitive systems, potentially accessing internal services, performing port scanning, or interacting with cloud metadata services to obtain credentials.
Likely Case
Unauthorized internal network reconnaissance and potential data exfiltration from internal services accessible from the Craft CMS server.
If Mitigated
Limited impact if proper network segmentation exists and internal services require additional authentication.
🎯 Exploit Status
Exploitation requires specific GraphQL permissions and knowledge of IPv6-only hosts to bypass validation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.16.19 and 5.8.23
Vendor Advisory: https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
Restart Required: No
Instructions:
1. Update Craft CMS to version 4.16.19 or 5.8.23. 2. Verify the update completed successfully. 3. Test GraphQL asset functionality.
🔧 Temporary Workarounds
Restrict GraphQL Permissions
allRemove GraphQL schema permissions for editing assets from untrusted users and ensure public schema does not have write permissions.
Disable GraphQL Asset Mutations
allTemporarily disable GraphQL mutations for asset creation/editing if not required.
🧯 If You Can't Patch
- Implement strict network egress filtering to limit outbound connections from the Craft CMS server.
- Review and audit all user accounts with GraphQL permissions, removing unnecessary asset editing capabilities.
🔍 How to Verify
Check if Vulnerable:
Check Craft CMS version via admin panel or by examining the composer.json file. If version is between 4.5.0-RC1 and 4.16.18 or between 5.0.0-RC1 and 5.8.22, the system is vulnerable.Check Version:
php craft --versionVerify Fix Applied:
Confirm version is 4.16.19 or higher for Craft 4, or 5.8.23 or higher for Craft 5. Test GraphQL asset mutations with IPv6-only hostnames to ensure they are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual GraphQL queries attempting asset mutations with IPv6 addresses
- Failed SSRF validation attempts in application logs
Network Indicators:
- Outbound connections from Craft CMS server to unexpected internal IPs
- Requests to cloud metadata services from application server
SIEM Query:
source="craft-cms-logs" AND ("GraphQL mutation" OR "asset creation") AND ("IPv6" OR "AAAA record")