216.73.217.64

CVE-2026-27127

· Published 24/02/2026 03:16 · Modified 25/02/2026 19:31

Labels: CVE-2026-27127 2026-02-24CVE-2026-27127CWE-367[email protected]

Essential information

Published
24/02/2026 03:16
Modified
25/02/2026 19:31
Author
Creator
CVSS
7.0 HIGH (v3) 7.0 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:3.5.0:-:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
craftcms / craft cms cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*

References