{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27129", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-17T18:42:27.043Z", "datePublished": "2026-02-24T02:45:45.494Z", "dateUpdated": "2026-02-28T02:17:18.957Z"}, "containers": {"cna": {"title": "Cloud Metadata SSRF Protection Bypass via IPv6 Resolution", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"}, {"name": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}, {"name": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 4.5.0-RC1, < 4.16.19", "status": "affected"}, {"version": ">= 5.0.0-RC1, < 5.8.23", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:45:45.494Z"}, "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS\u2019s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue."}], "source": {"advisory": "GHSA-v2gc-rm6g-wrw9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-28T02:16:52.966432Z", "id": "CVE-2026-27129", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:17:18.957Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27129", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-28T02:16:52.966432Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-28T02:17:13.721Z"}}], "cna": {"title": "Cloud Metadata SSRF Protection Bypass via IPv6 Resolution", "source": {"advisory": "GHSA-v2gc-rm6g-wrw9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.7, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"status": "affected", "version": ">= 4.5.0-RC1, < 4.16.19"}, {"status": "affected", "version": ">= 5.0.0-RC1, < 5.8.23"}]}], "references": [{"url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "name": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3", "name": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS\u2019s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "CWE-918: Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-24T02:45:45.494Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27129", "state": "PUBLISHED", "dateUpdated": "2026-02-28T02:17:18.957Z", "dateReserved": "2026-02-17T18:42:27.043Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-24T02:45:45.494Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C596EBB-ED70-4F53-A0E2-8ECB3F5A52D3", "versionEndExcluding": "4.16.19", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "matchCriteriaId": "6DF22B83-BC96-49B9-9694-F6F2688409AA", "versionEndExcluding": "5.8.23", "versionStartIncluding": "5.0.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "1C7461CF-35AB-48E1-88B6-956DAE1D2AB4", "vulnerable": true}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8D8E02D1-601A-4E2B-B619-4775BFDB72D0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS\u2019s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue."}, {"lang": "es", "value": "Craft es un sistema de gesti\u00f3n de contenido (CMS). En las versiones 4.5.0-RC1 hasta 4.16.18 y 5.0.0-RC1 hasta 5.8.22, la validaci\u00f3n de SSRF en la mutaci\u00f3n GraphQL Asset de Craft CMS utiliza `gethostbyname()`, que solo resuelve direcciones IPv4. Cuando un nombre de host tiene solo registros AAAA (IPv6), la funci\u00f3n devuelve la propia cadena del nombre de host, lo que hace que la comparaci\u00f3n de la lista de bloqueo siempre falle y omita completamente la protecci\u00f3n SSRF. Esto es una omisi\u00f3n de la correcci\u00f3n de seguridad para CVE-2025-68437. La explotaci\u00f3n requiere permisos de esquema GraphQL para editar activos en el volumen '' y crear activos en el volumen ''. Estos permisos pueden ser otorgados a usuarios autenticados con acceso apropiado al esquema GraphQL y/o al Esquema P\u00fablico (si est\u00e1 mal configurado con permisos de escritura). Las versiones 4.16.19 y 5.8.23 parchean el problema."}], "id": "CVE-2026-27129", "lastModified": "2026-03-02T20:35:37.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-24T03:16:02.807", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Patch", "Vendor Advisory"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"}, {"source": "security-advisories@github.com", "tags": ["Not Applicable"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.5.0-RC1,4.16.19)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0.0-RC1,5.8.23)"}}], "enrichment": {"confidence": 83.0, "confidence_source": "matching", "scores": [{"score": 83.0, "source": "matching"}]}, "original": {"product": "cms", "source": "cna", "vendor": "craftcms"}, "product": "craftcms", "vendor": "craftcms"}], "analysis": {"en": {"generated_at": "2026-04-18T10:58:00.145423+00:00", "value": {"mitigation_remediation": ["Apply the latest Craft CMS patch (version 4.16.19 or later, or 5.8.23 or later) to correct the SSRF validation logic.", "Restrict GraphQL asset mutation permissions so that only users who truly need to create or edit assets have write access, and remove such permissions from any public GraphQL schema.", "If an immediate patch is not possible, implement an interim check that rejects hostnames resolving only to IPv6 addresses and enforce a manual blocklist comparison against known internal or cloud\u2011metadata endpoints."], "summary": {"action": "Apply Patch", "impact": "Server\u2011Side Request Forgery Bypass"}, "threat_synthesis": {"affected_systems": "Craft CMS versions 4.5.0\u2011RC1 through 4.16.18 and 5.0.0\u2011RC1 through 5.8.22 are affected. The vulnerability applies to the GraphQL Asset mutation endpoint and requires the same product and version identifiers used in the CWE\u2011918 listing.", "description_and_impact": "Craft CMS\u2019s GraphQL Asset mutation uses gethostbyname() to validate hostnames, resolving only IPv4 addresses, an oversight identified as CWE-918. When a hostname offers only AAAA (IPv6) records, gethostbyname() returns the hostname string itself, causing the blocklist comparison to fail and the SSRF protection to be bypassed. This flaw is a direct bypass of the fix for CVE-2025-68437 and allows a malicious request to reach internal or cloud\u2011metadata services that the server can access.", "risk_and_exploitability": "The CVSS score of 5.7 indicates moderate severity, while the EPSS score of less than 1% shows a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, yet it can be abused by anyone who has GraphQL schema permissions to edit or create assets in an authenticated or misconfigured public schema. The attack requires only the ability to send a GraphQL mutation, which is often available to authenticated users with asset\u2011management privileges."}}}}, "created": "2026-02-24T09:53:09.073957+00:00", "updated": "2026-04-18T11:00:05.749932+00:00", "vendors": ["craftcms", "craftcms$PRODUCT$craftcms"]}