DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27127: Ghost in the Machine: Weaponizing DNS Rebinding to Bypass SSRF Filters in Craft CMS

#security #cve #cybersecurity

Ghost in the Machine: Weaponizing DNS Rebinding to Bypass SSRF Filters in Craft CMS

Vulnerability ID: CVE-2026-27127
CVSS Score: 7.0
Published: 2026-02-23

Craft CMS, a popular choice for developers who like their content managed and their code explicitly typed, recently patched a Server-Side Request Forgery (SSRF) vulnerability. Or so they thought. CVE-2026-27127 describes a classic Time-of-Check-Time-of-Use (TOCTOU) race condition that renders the previous fix useless. By exploiting the tiny temporal gap between validating a hostname and actually fetching it, attackers can utilize DNS Rebinding to trick the server into pouring its internal cloud secrets—like AWS IAM credentials—directly into the attacker's hands. This is a story of why blacklisting IP addresses in application code is a game of whack-a-mole you will eventually lose.

TL;DR

A high-severity SSRF bypass in Craft CMS allows authenticated users to steal cloud metadata credentials. By using DNS rebinding, attackers evade the IP blocklist implemented in a previous patch. The fix involves moving validation to the HTTP client's connection phase.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-367 (TOCTOU)
  • Attack Vector: Network (DNS Rebinding)
  • CVSS Score: 7.0 (High)
  • Privileges Required: Low (Authenticated User)
  • Impact: Confidentiality Loss (Cloud Metadata)
  • Exploit Status: POC Available

Affected Systems

  • Craft CMS 4.5.0-RC1 through 4.16.18
  • Craft CMS 5.0.0-RC1 through 5.8.22
  • Craft CMS: >= 4.5.0-RC1, <= 4.16.18 (Fixed in: 4.16.19)
  • Craft CMS: >= 5.0.0-RC1, <= 5.8.22 (Fixed in: 5.8.23)

Code Analysis

Commit: a4cf3fb

Fixed SSRF vulnerability by moving IP validation to Guzzle ON_STATS callback

diff --git a/src/gql/resolvers/mutations/Asset.php b/src/gql/resolvers/mutations/Asset.php
... 
- if (!App::parseEnv('$CRAFT_ALLOW_SUPER_ADMINS')) {
+ RequestOptions::ON_STATS => function(TransferStats $stats) use ($url) {
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GHSA: Official advisory containing POC steps for DNS rebinding.

Mitigation Strategies

  • Disable 'Asset' mutation permissions for the public schema.
  • Enforce IMDSv2 on all Cloud Instances (requires session token header).
  • Implement Egress filtering (firewall) to drop all traffic to 169.254.169.254 from the web server user.

Remediation Steps:

  1. Upgrade Craft CMS to version 4.16.19 or 5.8.23 immediately.
  2. Verify composer.json reflects the new version and run composer update.
  3. Audit existing Asset volumes for suspicious files (e.g., .json or .txt files containing 'AccessKeyId').

References

Read the full report for CVE-2026-27127 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)