Skip to main content

Craft CMS CVE-2026-41129

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-22 security-advisories@github.com
5.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Apr 22, 2026 - 00:58 vuln.today
Analysis Generated
Apr 22, 2026 - 00:22 vuln.today
CVE Published
Apr 22, 2026 - 00:16 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Versions 4.17.9 and 5.9.15 patch the issue.

AnalysisAI

Server-Side Request Forgery in Craft CMS 4.x through 4.17.8 and 5.x through 5.9.14 allows authenticated users with asset management permissions to request arbitrary URLs via the GraphQL API, potentially exposing internal services or performing actions on behalf of the CMS server. Exploitation requires high-privilege role assignments ('Edit assets' and 'Create assets' in a volume) and is patched in versions 4.17.9 and 5.9.15. EPSS score indicates moderate exploitation probability despite high CVSS, suggesting this is primarily a risk in multi-user CMS deployments where privilege separation is weak.

Technical ContextAI

Craft CMS is a headless/traditional CMS built on Yii framework that exposes content and asset operations through a GraphQL schema. The vulnerability lies in insufficient input validation on GraphQL mutation operations that handle asset creation and editing, allowing attackers to craft requests that bypass URL validation checks. CWE-918 (Server-Side Request Forgery) occurs when the CMS processes user-supplied URLs without proper allowlisting or protocol validation. The affected GraphQL schema permissions ('Edit assets in the <VolumeName> volume' and 'Create assets in the <VolumeName> volume') are typically assigned to content editors, making this a privilege-escalation risk when combined with internal network exposure. The vulnerability is rooted in GraphQL mutation handling for asset operations, not in the broader Craft framework.

Affected ProductsAI

Craft CMS 4.x branch through version 4.17.8 (all 4.x versions before 4.17.9) and 5.x branch through version 5.9.14 (all 5.x versions before 5.9.15). Both branches are affected by the same SSRF mechanism in GraphQL asset mutation handlers. The vulnerability is present in any Craft CMS installation running these versions with GraphQL enabled and asset-related permissions assigned.

RemediationAI

Upgrade immediately to Craft CMS 4.17.9 or 5.9.15, depending on your branch. For Craft 4.x users, apply the patch from commit d20aecfaa0eae076c4154be3b17e1f9fa05ce46f or use the tagged release 4.17.9; for 5.x users, upgrade to 5.9.15 or later. No workaround exists without patching, but temporary mitigation includes: (1) Restrict 'Edit assets' and 'Create assets' GraphQL permissions only to trusted administrator accounts, removing from general editor roles - trade-off is reduced editorial workflow flexibility. (2) Disable GraphQL asset mutations entirely in production if not actively used, via schema configuration - verify third-party integrations do not depend on these endpoints. (3) Implement network-level egress filtering to block asset upload destinations to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8) - trade-off is potential breakage of legitimate asset URLs if they reference internal CDNs. See GHSA-3m9m-24vh-39wx for detailed advisory and upgrade instructions.

Share

CVE-2026-41129 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy