Skip to main content

Statamic CMS CVE-2026-54242

MEDIUM
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-26 https://github.com/statamic/cms GHSA-v5c4-wcpj-x73m
4.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
4.9 MEDIUM

Network-exploitable; AC:H for DNS rebinding timing requirement; PR:L for required authenticated session; S:C for impact on internal services beyond Statamic; C:L/I:L conservative given variable internal target sensitivity.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 26, 2026 - 23:32 vuln.today
Analysis Generated
Jun 26, 2026 - 23:32 vuln.today

DescriptionGitHub Advisory

Impact

The Glide image proxy's URL validation could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation. This could cause the server to make HTTP requests to internal addresses - including loopback, private network, and cloud metadata endpoints.

This affects sites that pass user-supplied URLs to Glide.

Patches

This has been fixed in 5.73.24 and 6.20.1.

AnalysisAI

Server-Side Request Forgery (SSRF) in Statamic CMS allows authenticated low-privilege users to cause the server to make HTTP requests to internal addresses - including loopback, RFC-1918 private ranges, and cloud metadata endpoints such as 169.254.169.254 - by exploiting a DNS rebinding flaw in the Glide image proxy. Affected versions are statamic/cms before 5.73.24 and 6.x before 6.20.1 on sites that accept user-supplied remote image URLs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as low-privilege Statamic user
Delivery
Submit crafted remote image URL to Glide proxy
Exploit
Glide resolves hostname to public IP and passes validation
Execution
Attacker rebinds DNS record to internal/metadata address
Persist
Glide re-resolves and fetches URL against internal target
Impact
Exfiltrate response (cloud credentials or internal service data)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the Statamic deployment is configured to accept and process user-supplied remote image URLs via the Glide proxy - sites that do not allow remote URL ingestion through Glide are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS base score of 4.9 with vector AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N accurately characterizes the core trade-offs: the attack is network-exploitable but requires high complexity (successful DNS rebinding demands both DNS control and precise timing between Glide's validation and fetch phases). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated Statamic editor submits a crafted image URL pointing to an attacker-controlled domain (e.g., evil.attacker.com). The attacker's authoritative DNS server returns a legitimate public IP during Glide's hostname validation check, then immediately lowers the TTL and rebinds the DNS record to 169.254.169.254 before the actual HTTP fetch occurs. …
Remediation The primary fix is to upgrade statamic/cms to version 5.73.24 (for 5.x deployments) or 6.20.1 (for 6.x deployments) via composer update statamic/cms. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54242 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy