CVE-2026-27129

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3	Patch
https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9	Exploit Mitigation Patch Vendor Advisory
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc	Not Applicable

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:-::::::
	cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::

History

02 Mar 2026, 20:35

Type	Values Removed	Values Added
Summary		(es) Craft es un sistema de gestión de contenido (CMS). En las versiones 4.5.0-RC1 hasta 4.16.18 y 5.0.0-RC1 hasta 5.8.22, la validación de SSRF en la mutación GraphQL Asset de Craft CMS utiliza `gethostbyname()`, que solo resuelve direcciones IPv4. Cuando un nombre de host tiene solo registros AAAA (IPv6), la función devuelve la propia cadena del nombre de host, lo que hace que la comparación de la lista de bloqueo siempre falle y omita completamente la protección SSRF. Esto es una omisión de la corrección de seguridad para CVE-2025-68437. La explotación requiere permisos de esquema GraphQL para editar activos en el volumen '' y crear activos en el volumen ''. Estos permisos pueden ser otorgados a usuarios autenticados con acceso apropiado al esquema GraphQL y/o al Esquema Público (si está mal configurado con permisos de escritura). Las versiones 4.16.19 y 5.8.23 parchean el problema.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.5
References	~~() https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3 -~~	() https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3 - Patch
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9 -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9 - Exploit, Mitigation, Patch, Vendor Advisory
References	~~() https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc -~~	() https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc - Not Applicable
CPE		cpe:2.3:a:craftcms:craft_cms:::::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:-:::::: cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1::::::
First Time		Craftcms Craftcms craft Cms

24 Feb 2026, 03:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-24 03:16

Updated : 2026-03-02 20:35

NVD link : CVE-2026-27129

Mitre link : CVE-2026-27129

CVE.ORG link : CVE-2026-27129

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-918

Server-Side Request Forgery (SSRF)

6.5 /10