CVE-2026-25492

Name of the Vulnerable Software and Affected Versions Craft CMS versions 3.5.0 through 4.16.17 Craft CMS versions 5.0.0-RC1 through 5.8.21

Description The save images Asset GraphQL mutation in Craft CMS can be exploited to fetch internal URLs. This is possible by providing a domain name that resolves to an internal IP address, which bypasses hostname validation. If non-image file extensions, such as .txt, are permitted, downstream image validation is bypassed. This allows an authenticated attacker with appropriate permissions to use the save images Asset mutation to retrieve sensitive data, such as AWS instance metadata credentials, from the underlying host. The vulnerable mutation is accessed via the GraphQL API endpoint /graphql. The domain parameter is used to provide the domain name that resolves to an internal IP address.

Recommendations Update to Craft CMS version 4.16.18 or later. Update to Craft CMS version 5.8.22 or later.