CVE-2026-27127

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.5.0-RC1 through 4.16.18 Craft CMS versions 5.0.0-RC1 through 5.8.22

Description Craft CMS is susceptible to a Server-Side Request Forgery (SSRF) vulnerability in its GraphQL Asset mutation. The validation process performs DNS resolution separately from the HTTP request, creating a Time-of-Check-Time-of-Use (TOCTOU) condition. This allows attackers to exploit DNS rebinding, where their DNS server returns different IP addresses during validation and the actual request. This bypasses a previous security fix and enables access to blocked IPs, including those used for cloud metadata services like AWS, GCP, Azure, Alibaba Cloud, and Oracle Cloud. Exploitation requires GraphQL schema permissions for editing and creating assets within a specific volume. An attacker could potentially retrieve credentials and achieve code execution by creating new instances with their SSH key. The vulnerability allows access to internal services via DNS rebinding to 127.0.0.1 or 10.x.x.x IP addresses.

Recommendations Craft CMS versions prior to 4.16.19: Implement DNS pinning using CURLOPT RESOLVE to ensure the same IP address is used for both validation and the request. Craft CMS versions prior to 5.8.23: Implement DNS pinning using CURLOPT RESOLVE to ensure the same IP address is used for both validation and the request. As an alternative mitigation, use the resolved IP address directly in the URL and include the original hostname in the Host header. Consider implementing IMDSv2, which requires a token header for accessing instance metadata. Implement network egress filtering to block access to metadata IPs.