CVE-2026-27129: Craft CMS: Cloud Metadata SSRF Protection Bypass via IPv6 Resolution
The SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname(), which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection.
This is a bypass of the security fix for CVE-2025-68437 (GHSA-x27p-wfqw-hfcc).
References
- github.com/advisories/GHSA-v2gc-rm6g-wrw9
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3
- github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9
- github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
- nvd.nist.gov/vuln/detail/CVE-2026-27129
Code Behaviors & Features
Detect and mitigate CVE-2026-27129 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →