Moderate severityNVD Advisory· Published Feb 24, 2026· Updated Feb 28, 2026

Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

CVE-2026-27129

Description

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname(), which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the ` volume and creating assets in the ` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Craft CMS 4.5.5.0-RC1–4.16.18 and 5.0.0-RC1–5.8.22 fail to block SSRF when a hostname resolves only over IPv6, bypassing CVE-2025-68437's fix.

Root

Cause

The SSRF validation in Craft CMS's GraphQL asset mutation relies on gethostbyname() to resolve hostnames before comparing them against a blocklist of internal IP addresses. gethostbyn() only returns IPv4 (A) records. When a hostname has only AAAA (IPv6) records, the function fails to resolve and returns the original hostname string unchanged. The blocklist check then compares that string against IPv4 addresses, always failing, so the request proceeds without restriction. This is a bypass of the security fix for CVE-2025-68437 (GHSA-x27p-wfqw-hfcc) [1][2].

Exploitation

Anation

An attacker must have GraphQL permissions to edit assets and create assets in the target volume. These permissions can be granted to authenticated users via a GraphQL schema access or to the Public Schema if misconfigured with write permissions [1][2]. By providing a URL that resolves only over IPv6 (e.g., a service like fd00-ec2--254.sslip.io pointing to the cloud metadata endpoint), the attacker sends a mutation such as save__Asset with that URL. The validation passes because the hostname string is not in the blocklist of IPv4 addresses. The server then fetches the content from the internal IP, stores it as an asset, and the attacker can later retrieve that asset [2][3].

Impact

Successful exploitation allows an authenticated user to make the server send HTTP requests to internal infrastructures such as AWS metadata endpoints (169.254.169.254) or other internal services. The fetched content is saved as an asset, enabling exfiltration of sensitive information and potential further compromise of cloud resources [1][2][3].

Mitigation

The vulnerability is patched in Craft CMS versions 4.16.19 and 5.8.23, where gethostbyn() is replaced by a function that also handles IPv6 resolution [1][2]. Users should Upgrade immediately; no workaround is provided for unpatch.

References

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/cmsPackagist	>= 5.0.0-RC1, < 5.8.23	5.8.23
craftcms/cmsPackagist	>= 3.5.0, < 4.16.19	4.16.19

Affected products

Craftcms/Craft CMSllm-fuzzy
Range: >=4.5.0-RC1 <=4.16.18, >=5.0.0-RC1 <=5.8.22
Craftcms/CMSv5
Range: >= 4.5.0-RC1, < 4.16.19

Patches

2825388b4f32

Fixed GHSA-v2gc-rm6g-wrw9

https://github.com/craftcms/cmsbrandonkellyJan 14, 2026via ghsa

commit

2 files changed · +15 −1

CHANGELOG.md+1 −1 modified

@@ -3,7 +3,7 @@
 ## Unreleased
 
 - Fixed XSS vulnerabilities. (GHSA-6j87-m5qx-9fqp, GHSA-3jh3-prx3-w6wc)
-- Fixed an SSRF vulnerability. (GHSA-gp2f-7wcm-5fhx)
+- Fixed SSRF vulnerabilities. (GHSA-gp2f-7wcm-5fhx, GHSA-v2gc-rm6g-wrw9)
 
 ## 4.16.18 - 2026-01-09

src/gql/resolvers/mutations/Asset.php+14 −0 modified

@@ -345,6 +345,20 @@ private function validateIp(string $ip): bool
             return false;
         }
 
+        $v6Prefixes = [
+            'fd00:ec2::', // AWS IMDS, DNS, NTP
+            'fd20:ce::', // GCP
+            '::1', // Loopback
+            'fe80:', // Link-local
+            '::ffff:', // IPv4-mapped IPv6
+        ];
+
+        foreach ($v6Prefixes as $prefix) {
+            if (str_starts_with($ip, $prefix)) {
+                return false;
+            }
+        }
+
         return true;
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-v2gc-rm6g-wrw9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-27129ghsaADVISORY
github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3ghsax_refsource_MISCWEB
github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9ghsax_refsource_CONFIRMWEB
github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfccghsax_refsource_MISCWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000