CVE-2026-25492

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25492
Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff Patch
https://github.com/craftcms/cms/releases/tag/5.8.22 Product Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8 Exploit Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
History

19 Feb 2026, 19:12

Type Values Removed Values Added
References () https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff - () https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff - Patch
References () https://github.com/craftcms/cms/releases/tag/5.8.22 - () https://github.com/craftcms/cms/releases/tag/5.8.22 - Product, Release Notes
References () https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8 - () https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8 - Exploit, Patch, Vendor Advisory
Summary
  • (es) Craft CMS es un sistema de gestión de contenido. En las versiones de Craft 3.5.0 a 4.16.17 y 5.0.0-RC1 a 5.8.21, la mutación GraphQL save_images_Asset puede ser utilizada indebidamente para obtener URLs internas al proporcionar un nombre de dominio que se resuelve en una dirección IP interna, eludiendo la validación del nombre de host. Cuando se permite una extensión de archivo que no es de imagen, como .txt, se elude la validación de imagen posterior, lo que puede permitir a un atacante autenticado con permiso para usar save_images_Asset recuperar datos sensibles como credenciales de metadatos de instancia de AWS del host subyacente. Este problema está parcheado en las versiones 4.16.18 y 5.8.22.
CPE cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 6.5
First Time Craftcms
Craftcms craft Cms

09 Feb 2026, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:12

NVD link : CVE-2026-25492

Mitre link : CVE-2026-25492

CVE.ORG link : CVE-2026-25492

JSON object : View

Products Affected

craftcms

  • craft_cms
CWE
CWE-918

Server-Side Request Forgery (SSRF)