CVE-2026-27129 MEDIUM

CVE-2026-27129: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

Vendor Craftcms
Product cms
Weakness CWE-918 · SSRF
Published February 24, 2026
Last update February 28, 2026
View on NVD All CVEs

CVSS base score

5.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.

Key dates

02Disclosure timeline

February 24, 2026 CVE published
February 28, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-35409 Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import CVE-2024-27949 WordPress Sirv plugin <= 7.2.0 - Server Side Request Forgery (SSRF) vulnerability CVE-2026-39521 WordPress Nelio Content plugin <= 4.3.1 - Server Side Request Forgery (SSRF) vulnerability CVE-2024-52579 Server-Side Request Forgery vulnerability in various APIs in Misskey CVE-2024-1467 Starter Templates — Elementor, WordPress & Beaver Builder Templates <= 4.1.6 - Authenticated (Contributor+) Server-Side Request Forgery