Medium severityNVD Advisory· Published Apr 22, 2026· Updated Apr 22, 2026

CVE-2026-41129

Description

Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
craftcms/cmsPackagist	>= 5.0.0-RC1, < 5.9.15	5.9.15
craftcms/cmsPackagist	>= 4.0.0-RC1, < 4.17.9	4.17.9

Affected products

Craftcms/Cmsreferences

Patches

d20aecfaa0ea

Fixed GHSA-3m9m-24vh-39wx

https://github.com/craftcms/cmsbrandonkellyMar 5, 2026via ghsa

commit

2 files changed · +12 −0

CHANGELOG.md+1 −0 modified

@@ -6,6 +6,7 @@
 - Fixed a bug where `users/suspend-user` and `users/unsuspend-user` actions required that the logged-in user have control panel access. ([#18485](https://github.com/craftcms/cms/issues/18485))
 - Fixed a bug where flipping an image within the Image Editor didn’t always work. ([#18486](https://github.com/craftcms/cms/issues/18486))
 - Fixed a bug where SVG files missing their `width` and `height` attributes weren’t getting them set as expected.
+- Fixed a [moderate-severity](https://github.com/craftcms/cms/security/policy#severity--remediation) SSRF vulnerability. (GHSA-3m9m-24vh-39wx)
 
 ## 4.17.8 - 2026-02-25

src/gql/resolvers/mutations/Asset.php+11 −0 modified

@@ -251,6 +251,10 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         } elseif (!empty($fileInformation['url'])) {
             $url = $fileInformation['url'];
 
+            if (!$this->validateScheme($url)) {
+                throw new UserError("$url contains an invalid scheme.");
+            }
+
             if (!$this->validateHostname($url)) {
                 throw new UserError("$url contains an invalid hostname.");
             }
@@ -297,6 +301,13 @@ protected function handleUpload(AssetElement $asset, array $fileInformation): bo
         return true;
     }
 
+    private function validateScheme(string $url): bool
+    {
+        // block Gopher/File/FTP Smuggling
+        $scheme = parse_url($url, PHP_URL_SCHEME);
+        return in_array(strtolower($scheme), ['http', 'https'], true);
+    }
+
     private function validateHostname(string $url): bool
     {
         $hostname = parse_url($url, PHP_URL_HOST);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3m9m-24vh-39wxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-41129ghsaADVISORY
github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46fnvdWEB
github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wxnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000