{"id":"CVE-2026-27129","summary":"Cloud Metadata SSRF Protection Bypass via IPv6 Resolution","details":"Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `\u003cVolumeName\u003e` volume and creating assets in the `\u003cVolumeName\u003e` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.","aliases":["GHSA-v2gc-rm6g-wrw9"],"modified":"2026-04-10T05:37:06.092777Z","published":"2026-02-24T02:45:45.494Z","related":["GHSA-v2gc-rm6g-wrw9","GHSA-x27p-wfqw-hfcc"],"database_specific":{"cwe_ids":["CWE-918"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27129.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/27xxx/CVE-2026-27129.json"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9"},{"type":"ADVISORY","url":"https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-27129"},{"type":"FIX","url":"https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"0"},{"fixed":"1a8db788c8b3de85c3aed09ac34046e230079481"}],"database_specific":{"versions":[{"introduced":"4.5.0-RC1"},{"fixed":"4.16.19"}]}},{"type":"GIT","repo":"https://github.com/craftcms/cms","events":[{"introduced":"04755d93f86d07cc183db47db8a0eee106892e30"},{"fixed":"daf0ed01c7d2c194ba4a405290e43934d020eef2"}],"database_specific":{"versions":[{"introduced":"5.0.0-RC1"},{"fixed":"5.8.23"}]}}],"versions":["0.9.2063","0.9.2064","0.9.2065","0.9.2068","0.9.2071","0.9.2078","0.9.2079","0.9.2080","0.9.2081","0.9.2083","0.9.2090","0.9.2094","0.9.2100","0.9.2101","0.9.2102","0.9.2103","0.9.2106","0.9.2116","0.9.2117","0.9.2123","0.9.2124","0.9.2146","0.9.2151","0.9.2157","0.9.2167","0.9.2168","0.9.2177","0.9.2181","0.9.2184","0.9.2189","0.9.2193","0.9.2243","0.9.2246","1.0.0-alpha.2236","1.0.0-alpha.2237","1.0.0-alpha.2238","1.0.0-alpha.2241","1.0.0-alpha.2242","1.0.0-alpha.2244","1.0.0-alpha.2245","1.0.0-alpha.2247","1.0.0-alpha.2248","1.0.0-alpha.2249","1.0.2266","1.1.0-alpha.2283","1.1.0-alpha.2284","1.1.0-alpha.2285","1.1.0-alpha.2288","1.1.2291","1.2.0-alpha.2310","1.2.0-alpha.2312","1.2.0-alpha.2318","1.2.0-alpha.2319","1.2.0-alpha.2322","1.2.0-alpha.2328","1.2.0-alpha.2329","1.2.2333","1.2.2335","1.2.2336","1.2.2339","1.4.0-alpha.2488","1.4.0-alpha.2489","1.4.0-alpha.2490","1.4.0-alpha.2491","1.4.0-alpha.2492","1.4.0-alpha.2493","1.4.0-alpha.2497","1.4.0-alpha.2498","1.4.0-alpha.2499","1.4.0-alpha.2500","1.4.0-alpha.2502","1.4.0-alpha.2503","1.4.0-alpha.2505","1.4.0-alpha.2509","2.0.2524","2.0.2525","2.0.2527","2.0.2532","2.0.2533","2.0.2535","2.0.2536","2.0.2537","2.0.2538","2.0.2539","2.1.0-alpha.2546","2.1.0-alpha.2547","2.1.0-alpha.2552","2.1.2554","2.1.2555","2.1.2556","2.1.2557","2.2.0-alpha.2578","2.2.2579","2.2.2581","2.3.0-alpha.2600","2.3.0-alpha.2602","2.3.0-alpha.2603","2.3.0-alpha.2605","2.3.0-alpha.2606","2.3.0-alpha.2608","2.3.0-alpha.2610","2.3.0-alpha.2612","2.3.2615","2.3.2616","2.3.2617","3.0.0-alpha.2671","3.0.0-alpha.2681","3.0.0-alpha.2687","3.0.0-alpha.2915","3.0.0-alpha.2918","3.0.0-alpha.2928","3.0.0-alpha.2933","3.0.0-alpha.2937","3.0.0-alpha.2939","3.0.0-alpha.2942","3.0.0-alpha.2948","4.10.0-beta.1","4.10.0-beta.2","4.11.0","4.11.0.1","4.11.0.2","4.12.0","4.13.0","4.13.1","4.13.1.1","4.13.10","4.13.2","4.13.3","4.13.4","4.13.5","4.13.6","4.13.8","4.13.9","4.14.0","4.14.0.1","4.14.0.2","4.14.1","4.14.10","4.14.11","4.14.11.1","4.14.12","4.14.13","4.14.14","4.14.15","4.14.2","4.14.3","4.14.4","4.14.5","4.14.6","4.14.7","4.14.8","4.14.8.1","4.14.9","4.15.0","4.15.0.1","4.15.0.2","4.15.1","4.15.2","4.15.3","4.15.4","4.15.5","4.15.6","4.15.6.1","4.15.6.2","4.15.7","4.16.0","4.16.1","4.16.10","4.16.11","4.16.12","4.16.13","4.16.14","4.16.15","4.16.16","4.16.17","4.16.18","4.16.2","4.16.3","4.16.4","4.16.5","4.16.6","4.16.6.1","4.16.7","4.16.8","4.16.9","4.16.9.1","4.8.10","4.8.11","4.8.6","4.8.7","4.8.8","4.8.9","@craftcms/sass@1.0.0","@craftcms/sass@1.0.1","@craftcms/webpack@0.0.1","@craftcms/webpack@0.2.0","@craftcms/webpack@0.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-27129.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"}]}