CVE-2026-27129

UNKNOWN 0.0

Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.

CWE	CWE-918
Vendor	craftcms
Product	cms
Published	Feb 24, 2026
Last Updated	Feb 28, 2026

Stay Ahead of the Next One

Get instant alerts for craftcms cms

Be the first to know when new unknown vulnerabilities affecting craftcms cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

craftcms / cms

>= 4.5.0-RC1, < 4.16.19 >= 5.0.0-RC1, < 5.8.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9 github.com: https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc github.com: https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3