DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-28423: SSRF and Configuration Exfiltration via Glide Integration in Statamic CMS

#security #cve #cybersecurity

SSRF and Configuration Exfiltration via Glide Integration in Statamic CMS

Vulnerability ID: CVE-2026-28423
CVSS Score: 6.8
Published: 2026-03-01

A critical security flaw exists in Statamic CMS versions prior to 5.73.11 and 6.4.0, involving the interaction between the Glide image manipulation library and the Antlers template engine. When Glide is configured in insecure mode (lacking signature verification), unauthenticated attackers can exploit a logic flaw in path normalization to perform Server-Side Request Forgery (SSRF) and inject Antlers template tags into image parameters to exfiltrate sensitive application configuration, including database credentials and API keys.

TL;DR

Unauthenticated attackers can abuse the Glide image proxy in Statamic to read internal network resources (SSRF) and extract application secrets via template injection. Fixed in 5.73.11 and 6.4.0.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-918
  • Secondary CWE: CWE-200
  • Attack Vector: Network
  • CVSS: 6.8
  • Privileges Required: None
  • Exploit Status: PoC Available

Affected Systems

  • Statamic CMS
  • Statamic CMS: < 5.73.11 (Fixed in: 5.73.11)
  • Statamic CMS: >= 6.0.0, < 6.4.0 (Fixed in: 6.4.0)

Code Analysis

Commit: 0d16183

Fix for path normalization and config exposure in version 6.x

Str::removeRight($this->absoluteUrl(), '/')
Enter fullscreen mode Exit fullscreen mode

Commit: 97bbbec

Implementation of Antlers sandboxing and method blocking

Antlers::parseUserContent()
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Enable Glide URL signing by setting a secure key
  • Restrict outbound network access from the application server
  • Implement WAF rules to block template syntax in query parameters

Remediation Steps:

  1. Upgrade Statamic CMS to version 5.73.11 or 6.4.0.
  2. Verify config/statamic/glide.php has a non-null key value.
  3. Rotate any credentials (database, API keys, APP_KEY) if exposure is suspected.

References

Read the full report for CVE-2026-28423 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)