CVE-2026-25493 MEDIUM

CVE-2026-25493: Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect

Vendor Craftcms
Product cms
Weakness CWE-918 · SSRF
Published February 9, 2026
Last update February 10, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
February 10, 2026 Record updated