DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27129: Craft CMS SSRF: The IPv6 Ghost in the Machine

#security #cve #cybersecurity

Craft CMS SSRF: The IPv6 Ghost in the Machine

Vulnerability ID: CVE-2026-27129
CVSS Score: 5.7
Published: 2026-02-24

A sophisticated Server-Side Request Forgery (SSRF) bypass in Craft CMS leverages the often-overlooked disparity between legacy PHP networking functions and modern dual-stack infrastructure. By exploiting how gethostbyname() handles IPv6-only hostnames, attackers can bypass security filters intended to block internal access, directly targeting cloud metadata services like AWS IMDSv2 via their IPv6 endpoints.

TL;DR

Craft CMS failed to sanitize IPv6-only hostnames because PHP's gethostbyname doesn't resolve AAAA records. Attackers can use this to hit internal services (AWS IMDS, Loopback) by using domains that only resolve to IPv6, effectively bypassing the application's IPv4-centric allowlist/blocklist logic.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Attack Vector: Network (GraphQL)
  • CVSS v4.0: 5.7 (Medium)
  • Impact: High (Confidentiality)
  • EPSS Score: 0.03%
  • Exploit Status: Proof of Concept

Affected Systems

  • Craft CMS 4.x (< 4.16.19)
  • Craft CMS 5.x (< 5.8.23)
  • AWS EC2 Instances (via IMDS)
  • Google Cloud Compute (via Metadata)
  • Craft CMS: >= 4.5.0-RC1, < 4.16.19 (Fixed in: 4.16.19)
  • Craft CMS: >= 5.0.0-RC1, < 5.8.23 (Fixed in: 5.8.23)

Code Analysis

Commit: 2825388

Fixed SSRF vulnerability by adding IPv6 prefix validation

+ private function validateIp(string $ip): bool {
+    $v6Prefixes = ['fd00:ec2::', ...];
+    foreach ($v6Prefixes as $prefix) {
+        if (str_starts_with($ip, $prefix)) return false;
+    }
+ }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Upgrade Craft CMS to version 4.16.19 or 5.8.23 immediately.
  • Block egress traffic to cloud metadata IPs (IPv4 and IPv6) at the firewall level.
  • Enforce AWS IMDSv2 with a hop limit of 1.
  • Disable the 'Public Schema' in GraphQL if not strictly necessary.

Remediation Steps:

  1. Apply the vendor patch via composer update.
  2. Audit existing GraphQL schemas for unauthenticated write access.
  3. Review server logs for requests to 'sslip.io' or other wildcard DNS services.

References

Read the full report for CVE-2026-27129 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)