Platform
php
Component
craftcms
Fixed in
5.0.1
4.0.1
5.9.15
CVE-2026-41129 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Craft CMS. This flaw allows attackers to bypass filtering mechanisms and potentially access internal services within the application. The vulnerability affects versions 5.0.0-RC1 through 5.9.14, and a fix is available in version 4.17.9 and 5.9.15.
The SSRF vulnerability in Craft CMS arises from a lack of URL scheme restriction within the GraphQL asset upload functionality. While intended for asset uploads, the application doesn't enforce a whitelist for protocols like http or https. This oversight enables attackers to leverage the Gopher protocol to embed raw TCP commands. Combined with a DWORD bypass, this allows attackers to target internal services without triggering common string-matching filters, effectively bypassing security controls. The potential impact includes unauthorized access to sensitive data, internal network scanning, and potentially even remote code execution if internal services are vulnerable.
CVE-2026-41129 was publicly disclosed on 2026-04-21. The vulnerability requires specific permissions within the GraphQL schema, limiting the scope of potential exploitation. Public proof-of-concept (PoC) code is likely to emerge given the relatively straightforward nature of SSRF exploitation. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns at this time.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
The primary mitigation for CVE-2026-41129 is to upgrade Craft CMS to version 4.17.9 or 5.9.15, which includes the necessary fixes. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests using the Gopher protocol or those containing suspicious URL patterns. Additionally, review and restrict permissions within the GraphQL schema, specifically limiting access to "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Monitor Craft CMS logs for unusual outbound requests, particularly those using the Gopher protocol. After upgrading, confirm the fix by attempting a Gopher-based request through the GraphQL interface and verifying that it is blocked.
Update Craft CMS to version 4.17.9 or higher, or to version 5.9.15 or higher to mitigate the SSRF vulnerability. Ensure that the 'Edit assets in the <VolumeName> volume' and 'Create assets in the <VolumeName> volume' permissions are configured correctly in the GraphQL schema.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41129 is a Server-Side Request Forgery vulnerability in Craft CMS versions 5.0.0-RC1 through 5.9.14, allowing attackers to bypass filters and access internal services.
You are affected if you are running Craft CMS versions 5.0.0-RC1 through 5.9.14 and have not upgraded to 4.17.9 or 5.9.15.
Upgrade Craft CMS to version 4.17.9 or 5.9.15. Consider WAF rules and restricting GraphQL permissions as temporary mitigations.
There are currently no reports of active exploitation, but public PoCs are likely to emerge.
Refer to the official Craft CMS security advisory on their website for the latest information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.