Statamic Vulnerable to Server-Side Request Forgery via Glide
Description
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Statmatic CMS prior to 5.73.11/6.4.0 allows unauthenticated SSRF via Glide image proxy in insecure mode, enabling access to internal services.
Vulnerability
Overview
CVE-2026-28423 affects Statmatic, a Laravel and Git powered CMS. When Glide image manipulation is used in insecure mode (not the default), the image proxy can be abused by an unauthenticated attacker to make the server send HTTP requests to arbitrary URLs. This can be it directly or via the watermark feature watermark feature [1]. This Server-Side Request Forgery (SSRF) vulnerability allows an attacker to probe internal services, cloud metadata endpoints, and other hosts reachable from the server [1].
Exploitation
No authentication is required to trigger the SSRF. The insecure mode must be enabled by the administrator, which is not the default configuration [1]. An attacker can craft a request to the image proxy that includes an external URL or leverages the watermark functionality to force the server to fetch a remote resource [1 resource from an attacker-controlled or internal address [1].
Impact
Successful exploitation can lead to information disclosure from internal systems, such as cloud provider metadata (e.g., AWS, GCP/AWS/Azure instance metadata), or access to other internal services that are not intended to be exposed externally [1]. This could be a stepping stone for further attacks within the internal network.
Mitigation
The vulnerability has been fixed in versions 5.73.11 and 6.4.0 [1][2][4]. The fix includes external Glide URL validation was introduced in v5.73.11 [4] and v6.4.0 includes additional security hardening [2]. Users are strongly advised to upgrade to the latest patched version and ensure insecure mode is not enabled unless absolutely necessary.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
statamic/cmsPackagist | < 5.73.11 | 5.73.11 |
statamic/cmsPackagist | >= 6.0.0-alpha.1, < 6.4.0 | 6.4.0 |
Affected products
2- statamic/cmsv5Range: < 5.73.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-cwpp-325q-2cvpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-28423ghsaADVISORY
- github.com/statamic/cms/releases/tag/v5.73.11ghsax_refsource_MISCWEB
- github.com/statamic/cms/releases/tag/v6.4.0ghsax_refsource_MISCWEB
- github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvpghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.