{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27127", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.043Z", "datePublished": "2026-02-24T02:39:44.569Z", "dateUpdated": "2026-02-28T02:12:36.723Z"}, "containers": {"cna": {"title": "Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx"}, {"name": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}, {"name": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.5.0-RC1, < 4.16.19", "status": "affected"}, {"version": ">= 5.0.0-RC1, < 5.8.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:39:44.569Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS\u2019s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker\u2019s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue."}], "source": {"advisory": "GHSA-gp2f-7wcm-5fhx", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-28T02:12:07.793660Z", "id": "CVE-2026-27127", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:12:36.723Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27127", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-28T02:12:07.793660Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:12:32.548Z"}}], "cna": {"title": "Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding", "source": {"advisory": "GHSA-gp2f-7wcm-5fhx", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.5.0-RC1, < 4.16.19"}, {"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.23"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "name": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS\u2019s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker\u2019s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:39:44.569Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27127", "state": "PUBLISHED", "dateUpdated": "2026-02-28T02:12:36.723Z", "dateReserved": "2026-02-17T18:42:27.043Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T02:39:44.569Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "A5375BC8-3E29-48A4-AE56-1B544F736CFA", "versionEndExcluding": "4.16.19", "versionStartIncluding": "3.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DF22B83-BC96-49B9-9694-F6F2688409AA", "versionEndExcluding": "5.8.23", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:3.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "6DBDF2E4-0F24-4B10-8FF1-83C2F67A45D4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS\u2019s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker\u2019s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenido (CMS). En las versiones 4.5.0-RC1 hasta la 4.16.18 y 5.0.0-RC1 hasta la 5.8.22, la validaci\u00f3n de SSRF en la mutaci\u00f3n GraphQL Asset de Craft CMS realiza la resoluci\u00f3n DNS separadamente de la solicitud HTTP. Esta vulnerabilidad de Tiempo de Verificaci\u00f3n-Tiempo de Uso (TOCTOU) permite ataques de reencuadernaci\u00f3n de DNS, donde el servidor DNS de un atacante devuelve diferentes direcciones IP para la validaci\u00f3n en comparaci\u00f3n con la solicitud real. Esto es un bypass de la correcci\u00f3n de seguridad para CVE-2025-68437 que permite el acceso a todas las IP bloqueadas, no solo a los puntos finales IPv6. La explotaci\u00f3n requiere permisos de esquema GraphQL para editar activos en el volumen `` y crear activos en el volumen ``. Estos permisos pueden ser otorgados a usuarios autenticados con acceso apropiado al esquema GraphQL y/o Esquema P\u00fablico (si est\u00e1 mal configurado con permisos de escritura). Las versiones 4.16.19 y 5.8.23 parchean el problema."}], "id": "CVE-2026-27127", "lastModified": "2026-02-25T19:31:05.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T03:16:02.440", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0-RC1,4.16.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.8.23)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-16T16:29:07.958630+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to version 4.16.19 or 5.8.23, which includes the SSRF protection fix.", "Restrict GraphQL schema permissions so that only authorized authenticated users can perform asset mutation operations, and ensure the public schema does not allow write access to assets.", "If an immediate upgrade is not possible, block internal IP ranges or DNS rebinding by restricting outbound DNS queries or by configuring a firewall to limit outbound connections originating from the CMS server."], "summary": {"action": "Patch", "impact": "SSRF Bypass"}, "threat_synthesis": {"affected_systems": "The affected product is Craft CMS, with impacted releases from the listed 4.* and 5.* branches. Versions earlier than 4.16.19 and 5.8.23 are vulnerable, while patch versions 4.16.19 and 5.8.23 contain the necessary remediation. The issue is relevant to sites that expose the GraphQL API and assign asset\u2011mutation rights to users or misconfigure the public schema with write capabilities.", "description_and_impact": "Craft CMS versions 4.5.0\u2011RC1 through 4.16.18 and 5.0.0\u2011RC1 through 5.8.22 contain a time\u2011of\u2011check time\u2011of\u2011use flaw in the GraphQL Asset mutation. The validation routine resolves a DNS name before sending the HTTP request, allowing an attacker to serve the name with one IP during validation and a different IP during the actual request. This DNS rebinding bypasses the SSRF protection that had targeted only IPv6 endpoints in a prior fix, enabling a published SSRF vulnerability to reach any internal host or cloud metadata service.", "risk_and_exploitability": "The CVSS score of 7.0 indicates high severity, yet the EPSS score remains below 1\u202f% and the vulnerability is not yet in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires that an attacker can use the GraphQL asset mutation to edit or create assets in a volume; for many installations this privilege is granted to authenticated users or public schema users when misconfigured. Given the TOCTOU nature of the flaw, a successful attack could grant internal network reconnaissance or the ability to reach cloud metadata services, potentially exposing sensitive tokens or enabling further lateral movement."}}}}, "created": "2026-02-24T09:53:11.920916+00:00", "updated": "2026-04-16T16:30:15.948951+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}