CVE-2026-31317: CraftQL SSRF Vulnerability

CVE-2026-31317 Overview

CVE-2026-31317 is a Server-Side Request Forgery (SSRF) vulnerability affecting CraftQL versions 1.3.7 and earlier. CraftQL is a GraphQL plugin for the Craft CMS platform, developed by Mark Huot. The flaw resides in the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file, which fails to validate user-supplied URLs before issuing server-side HTTP requests. Attackers can abuse this behavior to force the server to fetch arbitrary resources, including internal network endpoints. The issue is tracked under CWE-918: Server-Side Request Forgery.

Critical Impact

Unauthenticated network-based exploitation allows attackers to coerce the vulnerable server into making outbound requests to attacker-chosen destinations, exposing internal services and confidential data.

Affected Products

• CraftQL plugin version 1.3.7
• CraftQL plugin versions prior to 1.3.7
• Craft CMS installations that load the markhuot/craftql package

Discovery Timeline

• 2026-04-17 - CVE-2026-31317 published to NVD
• 2026-04-20 - Last updated in NVD database

Technical Details for CVE-2026-31317

Vulnerability Analysis

The vulnerability resides in the GetAssetsFieldSchema.php listener within the CraftQL plugin. The listener processes asset field schema requests and issues HTTP requests using URL parameters that originate from client input. The plugin does not enforce allow-list validation, scheme restrictions, or destination filtering on these URLs.

Because CraftQL exposes GraphQL endpoints, an unauthenticated attacker can submit crafted queries that cause the server to fetch arbitrary URLs. The advisory describes downstream code execution risk, indicating the SSRF primitive can be chained with internal services that accept attacker-controlled payloads. The CWE classification confirms this as CWE-918.

Root Cause

The root cause is missing URL validation in the asset schema listener. The component trusts request-supplied URLs and passes them directly to the HTTP client used for remote asset retrieval. There is no parsing of the URL scheme, no blocklist for loopback or link-local ranges, and no filtering of internal hostnames. As a result, the server-side request inherits the network position and trust of the Craft CMS host.

Attack Vector

The attack vector is the network. Exploitation requires no privileges and no user interaction. An attacker sends a GraphQL request to an exposed CraftQL endpoint with a URL parameter pointing to an internal address such as http://127.0.0.1, a cloud metadata endpoint such as http://169.254.169.254/latest/meta-data/, or any reachable internal service. The vulnerable listener performs the request and may return the response to the attacker, enabling reconnaissance of internal infrastructure, retrieval of cloud credentials, and pivoting to internal HTTP-based services.

The vulnerability mechanism is documented in the public proof-of-concept at GitHub SSRF Detailed README.

Detection Methods for CVE-2026-31317

Indicators of Compromise

• Outbound HTTP requests originating from the Craft CMS PHP process to internal RFC1918 addresses or loopback interfaces.
• GraphQL query logs referencing asset field schema operations with externally supplied URL parameters.
• Access attempts from the web server to cloud instance metadata endpoints such as 169.254.169.254.
• Unexpected DNS lookups from the CraftQL host for attacker-controlled domains used as SSRF callbacks.

Detection Strategies

• Inspect web server and application logs for GraphQL POST requests targeting CraftQL endpoints with URL-shaped string arguments.
• Correlate inbound GraphQL requests with outbound HTTP traffic from the PHP-FPM or web worker process within a short time window.
• Deploy egress filtering alerts that flag application-server traffic to internal subnets, loopback, or metadata services.

Monitoring Recommendations

• Enable verbose query logging on the GraphQL endpoint to capture full query bodies, including variables.
• Forward web server, PHP error, and proxy logs to a centralized SIEM for correlation across request and egress events.
• Track requests to the GetAssetsFieldSchema code path and alert on parameters containing URL schemes such as http://, file://, or gopher://.

How to Mitigate CVE-2026-31317

Immediate Actions Required

• Upgrade the CraftQL plugin to a release later than 1.3.7 once a fixed version is published by the maintainer.
• Restrict access to GraphQL endpoints to authenticated users and trusted networks while a patch is being evaluated.
• Apply egress firewall rules that block the Craft CMS host from reaching internal subnets, loopback, and cloud metadata addresses.
• Audit existing logs for prior exploitation attempts referencing asset field schema operations with URL parameters.

Patch Information

No vendor-confirmed patch is listed in the NVD record at the time of publication. Track the upstream project at the GitHub CraftQL Repository for fixed releases. Until a vendor patch is available, treat the plugin as exposed and apply compensating controls.

Workarounds

• Disable the CraftQL plugin on production Craft CMS instances if GraphQL is not required.
• Place the GraphQL endpoint behind a reverse proxy that strips or validates URL-typed parameters before forwarding requests.
• Configure outbound proxy enforcement on the PHP runtime so that all HTTP requests pass through a filtering proxy with an allow-list of permitted destinations.
• Apply Instance Metadata Service v2 (IMDSv2) requirements on AWS hosts to require session tokens for metadata access, raising the bar for SSRF-driven credential theft.

# Example egress restriction using iptables to block SSRF targets
iptables -A OUTPUT -m owner --uid-owner www-data -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 169.254.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner www-data -d 192.168.0.0/16 -j REJECT