VYPR
← All advisories
Medium severity5.4GHSA Advisory· Published May 18, 2026· Updated May 18, 2026

Statamic CMS: Server-Side Request Forgery via Glide

CVE-2026-45660

Description

Impact

The Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints.

This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected.

Patches

This has been fixed in 5.73.22 and 6.18.1

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A URL validation bypass in Statamic's Glide image proxy allows unauthenticated attackers to make internal HTTP requests, fixed in versions 5.73.22 and 6.18.1.

Vulnerability

The Glide image proxy in Statamic CMS contains a URL validation bypass vulnerability [1][2][3]. The proxy fails to normalize certain IP representations (such as alternative decimal, octal, or shorthand formats) before performing the public-IP check. This allows an attacker to craft a URL that, after normalization by the server, points to a private or loopback address while passing validation as public. The vulnerability affects sites that pass user-supplied URLs to Glide. All versions before 5.73.22 and all versions from 6.0.0-alpha.1 before 6.18.1 are vulnerable. Sites running PHP 8.3 or newer are not affected [2][3].

Exploitation

An unauthenticated attacker can supply a specially crafted URL to the Glide image proxy. The attacker does not need any special privileges or network position other than the ability to reach the Glide endpoint. The attacker uses an IP representation that is not normalized (e.g., an integer representation of a private IP address or a dotted-octet variant that bypasses the public-IP regex) but that, once normalized by PHP or the HTTP client, resolves to an internal address such as 127.0.0.1 (loopback), 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, or cloud metadata IPs (e.g., 169.254.169.254) [2][3].

Impact

On successful exploitation, the attacker achieves a server-side request forgery (SSRF) against internal addresses. The server will fetch resources from those internal endpoints and return them as images, potentially disclosing sensitive information such as cloud metadata (e.g., AWS/GCP instance credentials), internal service data, or stack traces. The impact is confidentiality breach; the attacker does not execute code or modify data directly via this vulnerability, but the resulting information disclosure can enable further attacks [2][3].

Mitigation

The vulnerability has been patched in Statamic CMS versions 5.73.22 and 6.18.1 [2][3]. Users should upgrade to one of these fixed versions immediately. If upgrading is not possible, sites running PHP 8.3 or newer are not affected [2][3]. There is no other workaround documented in the available references for sites on older PHP versions. This advisory was published with fixes already available.

References
  1. GitHub - statamic/cms: The core Laravel CMS Composer package
  2. CVE-2026-45660 - GitHub Advisory Database
  3. Server-Side Request Forgery via Glide

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
3a0b3a05ab5f

[5.x] Harden remote URL validation (#14645)

https://github.com/statamic/cmsJason VargaMay 11, 2026Fixed in 6.18.1via llm-release-walk
commit
2 files changed · +39 0
  • src/Imaging/RemoteUrlValidator.php+7 0 modified
    @@ -94,6 +94,13 @@ protected function ensureHostResolvesToPublicIps($host)
 
     protected function assertPublicIp($ip)
     {
+        if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
+            $packed = inet_pton($ip);
+            if ($packed !== false && substr($packed, 0, 12) === "\0\0\0\0\0\0\0\0\0\0\xff\xff") {
+                $ip = inet_ntop(substr($packed, 12));
+            }
+        }
+
         $result = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE);
 
         if (! $result) {
  • tests/Imaging/ImageGeneratorTest.php+32 0 modified
    @@ -308,6 +308,38 @@ public function it_blocks_watermark_urls_that_target_non_public_ip_ranges()
         $this->makeGenerator()->setParams(['mark' => 'http://127.0.0.1/watermark.png']);
     }
 
+    public static function ipv4MappedIpv6Provider()
+    {
+        return [
+            'mapped loopback' => ['::ffff:127.0.0.1'],
+            'mapped loopback (hex form)' => ['::ffff:7f00:1'],
+            'mapped RFC1918' => ['::ffff:10.0.0.1'],
+            'mapped link-local metadata' => ['::ffff:169.254.169.254'],
+        ];
+    }
+
+    #[Test]
+    #[DataProvider('ipv4MappedIpv6Provider')]
+    public function it_blocks_ipv4_mapped_ipv6_addresses_via_dns($mappedIp)
+    {
+        $validator = new RemoteUrlValidator(fn ($host) => [['ipv6' => $mappedIp]]);
+
+        $this->expectException(InvalidRemoteUrlException::class);
+        $this->expectExceptionMessage('Destination IP is not publicly routable.');
+
+        $validator->validate('https://attacker.example/foo.jpg');
+    }
+
+    #[Test]
+    public function it_allows_public_ipv6_addresses()
+    {
+        $validator = new RemoteUrlValidator(fn ($host) => [['ipv6' => '2606:4700:4700::1111']]);
+
+        $validator->validate('https://example.com/foo.jpg');
+
+        $this->addToAssertionCount(1);
+    }
+
     #[Test]
     public function the_watermark_disk_is_the_public_directory_by_default()
     {

Vulnerability mechanics

Root cause

"Missing normalization of IPv4-mapped IPv6 addresses before checking whether the destination IP is publicly routable."

Attack vector

An unauthenticated attacker supplies a URL whose DNS resolves to an IPv4-mapped IPv6 address such as `::ffff:127.0.0.1` or `::ffff:169.254.169.254`. The `assertPublicIp` method in `RemoteUrlValidator.php` [patch_id=918488] passes the raw IPv6 string to `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE`, which does not recognize the embedded IPv4 address as private or reserved. The validation passes, and the Glide image proxy makes an HTTP request to the internal address — including loopback, RFC 1918 private networks, or cloud metadata endpoints.

Affected code

The vulnerability is in `src/Imaging/RemoteUrlValidator.php` in the `assertPublicIp` method [patch_id=918488]. The method uses `filter_var` with `FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE` but does not normalize IPv4-mapped IPv6 addresses before the check. New test cases in `tests/Imaging/ImageGeneratorTest.php` cover the bypass vectors.

What the fix does

The patch adds a normalization step inside `assertPublicIp` [patch_id=918488]: when the IP is an IPv6 address, it is converted to packed form via `inet_pton`. If the first 12 bytes match the IPv4-mapped prefix `\0\0\0\0\0\0\0\0\0\0\xff\xff`, the embedded IPv4 address is extracted with `substr($packed, 12)` and converted back to a standard IPv4 string via `inet_ntop`. The subsequent `filter_var` call then correctly applies the private/reserved range filters to the extracted IPv4 address, blocking the bypass.

Preconditions

  • configThe application must pass user-supplied URLs to the Glide image proxy.
  • authNo authentication is required; the endpoint is publicly accessible.
  • inputThe attacker must control a DNS record that resolves to an IPv4-mapped IPv6 address (e.g., ::ffff:127.0.0.1).
  • configPHP version must be older than 8.3 (PHP 8.3+ is not affected).

Generated on May 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.