Vulnerability DatabaseCVE-2026-27127
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-27127
February 24, 2026
Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs, not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the "<VolumeName>" volume and creating assets in the "<VolumeName>" volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.
Affected Packages
https://github.com/craftcms/cms.git (GITHUB):
Affected version(s) >=4.0.0 <4.16.19
Fix Suggestion:
Update to version 4.16.19
https://github.com/craftcms/cms.git (GITHUB):
Affected version(s) >=5.0.0 <5.8.23
Fix Suggestion:
Update to version 5.8.23
https://github.com/craftcms/cms.git (GITHUB):
Affected version(s) >=4.0.0 <4.16.19
Fix Suggestion:
Update to version 4.16.19
https://github.com/craftcms/cms.git (GITHUB):
Affected version(s) >=5.0.0 <5.8.23
Fix Suggestion:
Update to version 5.8.23
https://github.com/craftcms/cms.git (GITHUB):
Affected version(s) >=5.0.0 <5.8.23
Fix Suggestion:
Update to version 5.8.23
https://github.com/craftcms/cms.git (GITHUB):
Affected version(s) >=4.0.0 <4.16.19
Fix Suggestion:
Update to version 4.16.19
https://github.com/craftcms/cms.git (GITHUB):
Affected version(s) >=4.0.0 <4.16.19
Fix Suggestion:
Update to version 4.16.19
craftcms/cms (PHP):
Affected version(s) >=5.0.0-RC1 <5.8.23
Fix Suggestion:
Update to version 5.8.23
craftcms/cms (PHP):
Affected version(s) >=3.5.0 <4.16.19
Fix Suggestion:
Update to version 4.16.19
craftcms/cms (PHP):
Affected version(s) >=3.5.0 <4.16.19
Fix Suggestion:
Update to version 4.16.19
craftcms/cms (PHP):
Affected version(s) >=3.5.0 <4.16.19
Fix Suggestion:
Update to version 4.16.19
craftcms/cms (PHP):
Affected version(s) >=5.0.0-RC1 <5.8.23
Fix Suggestion:
Update to version 5.8.23
craftcms/cms (PHP):
Affected version(s) >=5.0.0-RC1 <5.8.23
Fix Suggestion:
Update to version 5.8.23
Related Resources (10)
https://curl.se/libcurl/c/CURLOPT_RESOLVE.html
https://github.com/taviso/rbndr
https://github.com/mogwailabs/DNSrebinder
https://nvd.nist.gov/vuln/detail/CVE-2026-27127
https://github.com/nccgroup/singularity
https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
https://github.com/craftcms/cms
https://unit42.paloaltonetworks.com/dns-rebinding
https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
Do you need more information?
Contact Us
CVSS v4
Base Score:
7
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
PRESENT
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
HIGH
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
NONE
Availability
NONE
Weakness Type (CWE)
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-367
EPSS
Base Score:
0.01