CVE-2026-25492

Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff	Patch
https://github.com/craftcms/cms/releases/tag/5.8.22	Product Release Notes
https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8	Exploit Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:craftcms:craft_cms::::::::
	cpe:2.3:a:craftcms:craft_cms::::::::

History

No history.

Information

Published : 2026-02-09 20:15

Updated : 2026-02-19 19:12

NVD link : CVE-2026-25492

Mitre link : CVE-2026-25492

CVE.ORG link : CVE-2026-25492

JSON object : View

Products Affected

craftcms

craft_cms

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-25492", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-09T20:15:57.650", "references": [{"url": "https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ff", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/releases/tag/5.8.22", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8", "tags": ["Exploit", "Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22."}, {"lang": "es", "value": "Craft CMS es un sistema de gesti\u00f3n de contenido. En las versiones de Craft 3.5.0 a 4.16.17 y 5.0.0-RC1 a 5.8.21, la mutaci\u00f3n GraphQL save_images_Asset puede ser utilizada indebidamente para obtener URLs internas al proporcionar un nombre de dominio que se resuelve en una direcci\u00f3n IP interna, eludiendo la validaci\u00f3n del nombre de host. Cuando se permite una extensi\u00f3n de archivo que no es de imagen, como .txt, se elude la validaci\u00f3n de imagen posterior, lo que puede permitir a un atacante autenticado con permiso para usar save_images_Asset recuperar datos sensibles como credenciales de metadatos de instancia de AWS del host subyacente. Este problema est\u00e1 parcheado en las versiones 4.16.18 y 5.8.22."}], "lastModified": "2026-02-19T19:12:55.063", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E85FA80-6A50-430C-8E92-3D46BBE0682C", "versionEndExcluding": "4.16.18", "versionStartIncluding": "3.5.0"}, {"criteria": "cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CCCB684A-592F-495F-86A7-F16399C58701", "versionEndExcluding": "5.8.22", "versionStartIncluding": "5.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}