CVE-2026-27127

EUVD-2026-7402

24.02.2026, 03:16

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.

TOCTOU

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.3 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
craftcms	craft_cms	3.5.1 ≤ 𝑥 < 4.16.19
craftcms	craft_cms	5.0.1 ≤ 𝑥 < 5.8.23
craftcms	craft_cms	3.5.0
craftcms	craft_cms	5.0.0
craftcms	craft_cms	5.0.0:rc1

𝑥

= Vulnerable software versions

Known Exploits!

Common Weakness Enumeration

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
The software checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

References

https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575

https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx

https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc