Statamic CMS CVE-2026-54242
MEDIUMSeverity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Network-exploitable; AC:H for DNS rebinding timing requirement; PR:L for required authenticated session; S:C for impact on internal services beyond Statamic; C:L/I:L conservative given variable internal target sensitivity.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Impact
The Glide image proxy's URL validation could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation. This could cause the server to make HTTP requests to internal addresses - including loopback, private network, and cloud metadata endpoints.
This affects sites that pass user-supplied URLs to Glide.
Patches
This has been fixed in 5.73.24 and 6.20.1.
AnalysisAI
Server-Side Request Forgery (SSRF) in Statamic CMS allows authenticated low-privilege users to cause the server to make HTTP requests to internal addresses - including loopback, RFC-1918 private ranges, and cloud metadata endpoints such as 169.254.169.254 - by exploiting a DNS rebinding flaw in the Glide image proxy. Affected versions are statamic/cms before 5.73.24 and 6.x before 6.20.1 on sites that accept user-supplied remote image URLs. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the Statamic deployment is configured to accept and process user-supplied remote image URLs via the Glide proxy - sites that do not allow remote URL ingestion through Glide are not affected. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS base score of 4.9 with vector AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N accurately characterizes the core trade-offs: the attack is network-exploitable but requires high complexity (successful DNS rebinding demands both DNS control and precise timing between Glide's validation and fetch phases). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated Statamic editor submits a crafted image URL pointing to an attacker-controlled domain (e.g., evil.attacker.com). The attacker's authoritative DNS server returns a legitimate public IP during Glide's hostname validation check, then immediately lowers the TTL and rebinds the DNS record to 169.254.169.254 before the actual HTTP fetch occurs. … |
| Remediation | The primary fix is to upgrade statamic/cms to version 5.73.24 (for 5.x deployments) or 6.20.1 (for 6.x deployments) via composer update statamic/cms. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v5c4-wcpj-x73m