CVE-2026-27129: Craft CMS SSRF Bypass Vulnerability

CVE-2026-27129 Overview

CVE-2026-27129 is a Server-Side Request Forgery (SSRF) bypass vulnerability in Craft CMS affecting versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22. The vulnerability exists in the GraphQL Asset mutation's SSRF validation mechanism, which uses PHP's gethostbyname() function to resolve hostnames for blocklist comparison. Since gethostbyname() only resolves IPv4 addresses, hostnames with only AAAA (IPv6) DNS records cause the function to return the original hostname string, causing blocklist comparisons to consistently fail and completely bypassing SSRF protections.

This vulnerability is a bypass of the security fix for CVE-2025-68437, demonstrating that the original mitigation was incomplete for IPv6-only environments.

Critical Impact

Authenticated attackers with GraphQL schema permissions can bypass SSRF protections to access internal services, cloud metadata endpoints, and sensitive network resources via IPv6 addresses.

Affected Products

• Craft CMS versions 4.5.0-RC1 through 4.16.18
• Craft CMS versions 5.0.0-RC1 through 5.8.22
• Craft CMS installations with GraphQL Asset mutation enabled and write permissions configured

Discovery Timeline

• 2026-02-24 - CVE-2026-27129 published to NVD
• 2026-02-24 - Last updated in NVD database

Technical Details for CVE-2026-27129

Vulnerability Analysis

The SSRF vulnerability stems from an incomplete fix for CVE-2025-68437. The original security patch implemented hostname resolution using gethostbyname() to convert hostnames to IP addresses before checking against an internal blocklist. However, this approach has a critical flaw: gethostbyname() is an IPv4-only function that cannot resolve AAAA (IPv6) DNS records.

When an attacker supplies a hostname that only has IPv6 DNS records, gethostbyname() cannot perform the resolution and returns the original hostname string unchanged. Since the blocklist contains IP addresses (not hostnames), the comparison always fails, allowing the attacker to bypass SSRF protections entirely.

Exploitation requires specific GraphQL schema permissions: the ability to edit assets in a configured volume and create assets in that volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access. In misconfigured installations where the Public Schema has write permissions enabled, this could potentially be exploited by unauthenticated attackers.

Root Cause

The root cause is the use of gethostbyname() for hostname-to-IP resolution in security-critical validation logic. This PHP function only supports IPv4 address resolution. When presented with a hostname that has only AAAA records (IPv6), the function returns the hostname string itself rather than the resolved IP address or a failure indicator, causing the subsequent blocklist validation to be ineffective.

Attack Vector

The attack is network-based and requires low privileges (authenticated user with specific GraphQL permissions). An attacker can craft a GraphQL Asset mutation request with a URL pointing to a hostname configured with only IPv6 DNS records. The target hostname would resolve to an internal IPv6 address (such as cloud metadata endpoints like fd00:ec2:: for AWS IMDS), bypassing the SSRF blocklist entirely.

The security patch addresses this by adding explicit checks for IPv6 address prefixes associated with sensitive internal services:

            return false;
        }

+        $v6Prefixes = [
+            'fd00:ec2::', // AWS IMDS, DNS, NTP
+            'fd20:ce::', // GCP
+            '::1', // Loopback
+            'fe80:', // Link-local
+            '::ffff:', // IPv4-mapped IPv6
+        ];
+
+        foreach ($v6Prefixes as $prefix) {
+            if (str_starts_with($ip, $prefix)) {
+                return false;
+            }
+        }
+
        return true;
    }

Source: GitHub Commit

Detection Methods for CVE-2026-27129

Indicators of Compromise

• GraphQL requests containing Asset mutations with external URLs pointing to IPv6-only hostnames
• Outbound connections from the Craft CMS server to internal IPv6 addresses (especially cloud metadata endpoints like fd00:ec2::254)
• Unusual asset creation or modification activity in GraphQL logs referencing internal network resources

Detection Strategies

• Monitor GraphQL query logs for Asset mutation operations with suspicious URL parameters containing IPv6 addresses or uncommon hostnames
• Implement network monitoring to detect outbound connections from web servers to internal IPv6 ranges (link-local, loopback, and cloud provider metadata prefixes)
• Review access logs for patterns of GraphQL requests attempting to access internal services through the Asset mutation endpoint

Monitoring Recommendations

• Enable detailed logging for all GraphQL mutations, particularly those involving asset operations with external URLs
• Configure alerts for outbound connections from the CMS to IPv6 metadata endpoints such as fd00:ec2::, fd20:ce::, and ::1
• Audit GraphQL schema permissions regularly to ensure write permissions are not inadvertently exposed to unauthorized users or the public schema

How to Mitigate CVE-2026-27129

Immediate Actions Required

• Upgrade Craft CMS to version 4.16.19 or 5.8.23 immediately to apply the security patch
• Review GraphQL schema permissions and remove unnecessary write access for Asset mutations
• Audit the Public Schema configuration to ensure write permissions are disabled unless explicitly required
• Implement network-level restrictions preventing the web server from initiating connections to internal IPv6 ranges

Patch Information

Craft CMS has released patched versions that address this SSRF bypass vulnerability. The fix adds explicit validation for IPv6 address prefixes associated with sensitive internal services, including AWS IMDS, GCP metadata, loopback, link-local, and IPv4-mapped IPv6 addresses.

• Craft CMS 4.x: Upgrade to version 4.16.19 or later
• Craft CMS 5.x: Upgrade to version 5.8.23 or later

For additional details, refer to the GitHub Security Advisory GHSA-v2gc-rm6g-wrw9 and the related advisory for the original CVE-2025-68437 fix at GHSA-x27p-wfqw-hfcc.

Workarounds

• Disable GraphQL Asset mutations entirely if not required for your application
• Restrict GraphQL schema access to trusted administrative users only
• Configure network-level firewall rules to block outbound connections from the CMS server to internal IPv6 address ranges

# Example: Block outbound IPv6 to cloud metadata and internal ranges using ip6tables
ip6tables -A OUTPUT -d fd00:ec2::/32 -j DROP
ip6tables -A OUTPUT -d fd20:ce::/32 -j DROP
ip6tables -A OUTPUT -d ::1/128 -j DROP
ip6tables -A OUTPUT -d fe80::/10 -j DROP