{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25492", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-02T16:31:35.823Z", "datePublished": "2026-02-09T19:33:24.366Z", "dateUpdated": "2026-02-10T16:00:41.366Z"}, "containers": {"cna": {"title": "Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8"}, {"name": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff"}, {"name": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.8.22", "status": "affected"}, {"version": ">= 3.5.0, < 4.16.18", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:33:24.366Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22."}], "source": {"advisory": "GHSA-96pq-hxpw-rgh8", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-10T15:30:21.159141Z", "id": "CVE-2026-25492", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T16:00:41.366Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-25492", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-10T15:30:21.159141Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-10T15:30:21.851Z"}}], "cna": {"title": "Craft has a save_images_Asset graphql mutation can be abused to exfiltrate AWS credentials of underlying host", "source": {"advisory": "GHSA-96pq-hxpw-rgh8", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.22"}, {"status": "affected", "version": ">= 3.5.0, < 4.16.18"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff", "name": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "name": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-09T19:33:24.366Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25492", "state": "PUBLISHED", "dateUpdated": "2026-02-10T16:00:41.366Z", "dateReserved": "2026-02-02T16:31:35.823Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-09T19:33:24.366Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E85FA80-6A50-430C-8E92-3D46BBE0682C", "versionEndExcluding": "4.16.18", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "CCCB684A-592F-495F-86A7-F16399C58701", "versionEndExcluding": "5.8.22", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22."}, {"lang": "es", "value": "Craft CMS es un sistema de gesti\u00f3n de contenido. En las versiones de Craft 3.5.0 a 4.16.17 y 5.0.0-RC1 a 5.8.21, la mutaci\u00f3n GraphQL save_images_Asset puede ser utilizada indebidamente para obtener URLs internas al proporcionar un nombre de dominio que se resuelve en una direcci\u00f3n IP interna, eludiendo la validaci\u00f3n del nombre de host. Cuando se permite una extensi\u00f3n de archivo que no es de imagen, como .txt, se elude la validaci\u00f3n de imagen posterior, lo que puede permitir a un atacante autenticado con permiso para usar save_images_Asset recuperar datos sensibles como credenciales de metadatos de instancia de AWS del host subyacente. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22."}], "id": "CVE-2026-25492", "lastModified": "2026-02-19T19:12:55.063", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-09T20:15:57.650", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/craftcms/cms/releases/tag/5.8.22"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.8.22)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.5.0,4.16.18)"}}], "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-18T12:58:49.312242+00:00", "value": {"mitigation_remediation": ["Apply the latest Craft CMS update (v4.16.18 or v5.8.22) to remove the vulnerable save_images_Asset mutation logic.", "Review and restrict GraphQL `save_images_Asset` permissions, granting the mutation only to trusted accounts and revoking it from users who do not require image upload capability.", "Block internal DNS resolution in the mutation or enforce hostname validation to prevent requests to internal IPs, and consider disabling support for non\u2011image file extensions submitted to the mutation."], "summary": {"action": "Immediate Patch", "impact": "Exfiltration of AWS instance metadata credentials via Craft CMS GraphQL mutation"}, "threat_synthesis": {"affected_systems": "Versions 3.5.0 through 4.16.17 and 5.0.0\u2011RC1 through 5.8.21 of Craft CMS are affected. The issue is fixed in 4.16.18 and 5.8.22 and later releases.", "description_and_impact": "Craft CMS\u2019 save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain that resolves to an internal IP address, bypassing hostname validation. When a non\u2011image file extension such as .txt is allowed, downstream image validation is skipped, enabling an attacker with permission to the mutation to retrieve sensitive data like AWS instance metadata credentials from the underlying host. This flaw represents a Server\u2011Side Request Forgery weakness and can lead to credential leakage.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, while an EPSS score below 1% shows a very low exploitation probability. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated user with the ability to invoke the save_images_Asset mutation and supply a domain that resolves to an internal IP. Once executed, the attacker can exfiltrate AWS metadata credentials, representing a serious confidentiality breach if privileged accounts are targeted or compromised."}}}}, "created": "2026-02-10T15:37:31.255471+00:00", "updated": "2026-04-18T13:00:08.770424+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}