Craft has a SSRF in GraphQL Asset Mutation via HTTP Redirect
Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation validates the initial URL hostname and resolved IP against a blocklist, but Guzzle follows HTTP redirects by default. An attacker can bypass all SSRF protections by hosting a redirect that points to cloud metadata endpoints or any internal IP addresses. This issue is patched in versions 4.16.18 and 5.8.22.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Craft CMS versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 allow SSRF bypass via HTTP redirect in the saveAsset GraphQL mutation.
Vulnerability
Overview
The saveAsset GraphQL mutation in Craft CMS validates the initial URL hostname and resolved IP against a blocklist to prevent server-side request forgery (SSRF). However, the underlying HTTP client (Guzzle) follows HTTP redirects by default, allowing an attacker to bypass the SSRF protections entirely [1][2]. The vulnerability affects versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21 [1].
Exploitation
Method
An attacker can host a URL that passes the initial hostname/IP validation, but that URL redirects to a cloud metadata endpoint (e.g., AWS, GCP, Azure) or any internal IP address. Because Guzzle follows redirects, the attacker can force the server to fetch resources from internal networks or cloud instance metadata services that are normally inaccessible [1][3]. No authentication is required to trigger the mutation, and the attack can be performed remotely without special network privileges.
Impact
Successful exploitation allows an attacker to read sensitive information, such as cloud provider instance metadata, internal service credentials, or other data hosted on internal IP addresses. This could lead to lateral movement, privilege escalation, or data exfiltration depending on the environment [1][3]. The vulnerability is classified as an SSRF with high impact.
Mitigation
The issue is patched in Craft CMS versions 4.16.18 and 5.8.22 by disabling Guzzle's redirect following for this specific mutation [1][2][3]. Users should upgrade immediately. No workaround is provided for unpatched versions [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
craftcms/cmsPackagist | >= 5.0.0-RC1, < 5.8.22 | 5.8.22 |
craftcms/cmsPackagist | >= 4.0.0-RC1, < 4.16.18 | 4.16.18 |
Affected products
1Patches
12 files changed · +6 −2
CHANGELOG.md+1 −1 modified@@ -5,7 +5,7 @@ - The `utils/fix-field-layout-uids` command now checks for duplicate top-level field layout UUIDs. ([#18193](https://github.com/craftcms/cms/pull/18193)) - Fixed a bug where all plugin settings were being saved to the project config, rather than just posted settings. ([craftcms/commerce#4006](https://github.com/craftcms/commerce/issues/4006)) - Fixed a bug where custom selects could be positioned incorrectly after the window was resized. ([#18179](https://github.com/craftcms/cms/issues/18179)) -- Fixed an SSRF vulnerability. (GHSA-96pq-hxpw-rgh8) +- Fixed SSRF vulnerabilities. (GHSA-96pq-hxpw-rgh8, GHSA-8jr8-7hr4-vhfx) - Fixed a SQL injection vulnerability. (GHSA-2453-mppf-46cj) ## 4.16.17 - 2025-12-0421
src/gql/resolvers/mutations/Asset.php+5 −1 modified@@ -24,6 +24,7 @@ use GraphQL\Error\UserError; use GraphQL\Type\Definition\ResolveInfo; use GuzzleHttp\Client; +use GuzzleHttp\RequestOptions; use Throwable; use yii\base\Exception; use yii\base\InvalidArgumentException; @@ -259,7 +260,10 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo // Download the file $tempPath = AssetsHelper::tempFilePath($extension); - $this->createGuzzleClient()->request('GET', $url, ['sink' => $tempPath]); + $this->createGuzzleClient()->request('GET', $url, [ + RequestOptions::ALLOW_REDIRECTS => false, + RequestOptions::SINK => $tempPath, + ]); } if (!$tempPath || !$filename) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-8jr8-7hr4-vhfxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25493ghsaADVISORY
- github.com/craftcms/cms/commit/0974055634af68998f67850ab2045d8aaa19fa98ghsax_refsource_MISCWEB
- github.com/craftcms/cms/releases/tag/4.16.18ghsaWEB
- github.com/craftcms/cms/releases/tag/5.8.22ghsax_refsource_MISCWEB
- github.com/craftcms/cms/security/advisories/GHSA-8jr8-7hr4-vhfxghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.