CVE-2026-41130 Overview
CVE-2026-41130 is a Server-Side Request Forgery (SSRF) vulnerability affecting Craft CMS, a popular content management system. The vulnerability exists in the resource-js endpoint, which allows unauthenticated requests to proxy remote JavaScript resources. When trustedHosts is not explicitly restricted (the default configuration), the application trusts client-supplied Host headers, enabling attackers to control the derived baseUrl used in prefix validation within the actionResourceJs() function.
Critical Impact
Attackers can manipulate Host headers to bypass URL validation and force the Craft CMS server to make arbitrary HTTP requests to internal or external resources, potentially exposing sensitive internal services, cloud metadata endpoints, or enabling further network reconnaissance.
Affected Products
- Craft CMS 4.x through version 4.17.8
- Craft CMS 5.x through version 5.9.14
Discovery Timeline
- 2026-04-22 - CVE-2026-41130 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-41130
Vulnerability Analysis
This SSRF vulnerability (CWE-918) stems from insufficient validation of the Host header in Craft CMS's default configuration. The resource-js endpoint is designed to proxy JavaScript resources, but the prefix validation logic in actionResourceJs() relies on the baseUrl value, which is derived from the client-controllable Host header when trustedHosts is not explicitly configured.
An attacker can craft malicious HTTP requests with a manipulated Host header pointing to their controlled domain. When the server processes these requests, it uses the attacker-supplied host to construct the baseUrl, effectively bypassing the intended URL prefix validation. This allows the attacker to redirect the server's outbound HTTP requests to arbitrary destinations, including internal network resources that should not be accessible from the public internet.
Root Cause
The root cause lies in the trust relationship between the application and the HTTP Host header. In the default Craft CMS configuration, trustedHosts is not restricted, causing the application to accept and use any Host header value provided by clients. The actionResourceJs() function then uses this untrusted input to derive the baseUrl for prefix validation, creating a path for attackers to bypass security controls.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP requests to the resource-js endpoint with a malicious Host header. The server then issues HTTP requests to attacker-specified destinations, potentially accessing internal services, cloud metadata endpoints (such as 169.254.169.254), or other sensitive resources within the network perimeter.
The security patch introduces additional validation using the StringHelper class and implements a new database query mechanism to verify URL legitimacy:
use craft\helpers\Html;
use craft\helpers\Json;
use craft\helpers\Session;
+use craft\helpers\StringHelper;
use craft\helpers\Update as UpdateHelper;
use craft\helpers\UrlHelper;
use craft\models\Update;
Source: GitHub Commit ebe7e85
Additional helper classes were added to strengthen validation:
use craft\db\Connection;
use craft\db\mysql\Schema as MysqlSchema;
use craft\db\pgsql\Schema as PgsqlSchema;
+use craft\db\Query;
+use craft\db\Table;
use craft\elements\User;
use craft\enums\LicenseKeyStatus;
use craft\errors\InvalidPluginException;
Source: GitHub Commit ebe7e85
Detection Methods for CVE-2026-41130
Indicators of Compromise
- Unusual outbound HTTP requests originating from the Craft CMS web server to internal IP ranges or cloud metadata endpoints
- Access logs showing requests to /resource-js with anomalous or unexpected Host header values
- Network traffic from the web server to internal services that should not be accessible
Detection Strategies
- Monitor web server access logs for requests containing unusual Host headers that do not match expected domain names
- Implement network-level monitoring to detect outbound connections from the web server to internal IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x) or cloud metadata IPs (169.254.169.254)
- Configure WAF rules to detect and block requests with suspicious Host header manipulation patterns
Monitoring Recommendations
- Enable verbose logging on the Craft CMS application to capture all incoming request headers
- Set up alerts for outbound network connections from the web server tier to sensitive internal resources
- Review web application firewall logs for blocked requests targeting the resource-js endpoint
How to Mitigate CVE-2026-41130
Immediate Actions Required
- Upgrade Craft CMS 4.x installations to version 4.17.9 or later
- Upgrade Craft CMS 5.x installations to version 5.9.15 or later
- Review and explicitly configure the trustedHosts setting in Craft CMS configuration
Patch Information
The vulnerability has been addressed in Craft CMS versions 4.17.9 and 5.9.15. The patch introduces additional validation using StringHelper and database query mechanisms to properly verify URL legitimacy regardless of the Host header value. For detailed patch information, refer to the GitHub Security Advisory GHSA-95wr-3f2v-v2wh and the security commit.
Workarounds
- Explicitly configure trustedHosts in your Craft CMS configuration to only accept legitimate domain names
- Implement a reverse proxy or WAF to validate and normalize Host headers before they reach the application
- Restrict outbound network access from the web server to limit SSRF impact
# Example: Configure trustedHosts in config/general.php
# Add your legitimate domains to prevent Host header manipulation
'trustedHosts' => ['example.com', 'www.example.com'],
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
