Home

Description

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.

PUBLISHED Reserved 2026-02-02 | Published 2026-02-09 | Updated 2026-02-10 | Assigner GitHub_M




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-918: Server-Side Request Forgery (SSRF)

Product status

>= 5.0.0-RC1, < 5.8.22
affected

>= 3.5.0, < 4.16.18
affected

References

github.com/...ms/cms/security/advisories/GHSA-96pq-hxpw-rgh8

github.com/...ommit/e838a221df2ab15cd54248f22fc8355d47df29ff

github.com/craftcms/cms/releases/tag/5.8.22

cve.org (CVE-2026-25492)

nvd.nist.gov (CVE-2026-25492)

Download JSON