CVE-2026-27129

Name of the Vulnerable Software and Affected Versions Craft versions 4.5.0-RC1 through 4.16.18 Craft versions 5.0.0-RC1 through 5.8.22

Description Craft is a content management system (CMS). The SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname(), which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, bypassing SSRF protection. This bypasses a previous security fix. Exploitation requires GraphQL schema permissions for editing assets in the VolumeName volume and creating assets in the VolumeName volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). The vulnerable component is the GraphQL Asset mutation.

Recommendations Update to Craft version 4.16.19 or later. Update to Craft version 5.8.23 or later.