Platform
php
Component
craftcms
Opgelost in
5.0.1
4.0.1
5.9.15
CVE-2026-41129 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Craft CMS. This flaw allows attackers to bypass filtering mechanisms and potentially access internal services within the application. The vulnerability affects versions 5.0.0-RC1 through 5.9.14, and a fix is available in version 4.17.9 and 5.9.15.
The SSRF vulnerability in Craft CMS arises from a lack of URL scheme restriction within the GraphQL asset upload functionality. While intended for asset uploads, the application doesn't enforce a whitelist for protocols like http or https. This oversight enables attackers to leverage the Gopher protocol to embed raw TCP commands. Combined with a DWORD bypass, this allows attackers to target internal services without triggering common string-matching filters, effectively bypassing security controls. The potential impact includes unauthorized access to sensitive data, internal network scanning, and potentially even remote code execution if internal services are vulnerable.
CVE-2026-41129 was publicly disclosed on 2026-04-21. The vulnerability requires specific permissions within the GraphQL schema, limiting the scope of potential exploitation. Public proof-of-concept (PoC) code is likely to emerge given the relatively straightforward nature of SSRF exploitation. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns at this time.
Organizations using Craft CMS in environments with exposed GraphQL endpoints and where users have permissions to edit or create assets within volumes are at increased risk. Shared hosting environments where multiple users share the same Craft CMS instance are particularly vulnerable, as a compromised user account could be leveraged to exploit the SSRF vulnerability.
• php / server:
grep -r 'gopher:' /var/www/craftcms/config/general.php
grep -r 'gopher:' /var/www/craftcms/modules/*• generic web:
curl -I 'http://your-craftcms-site.com/graphql' | grep 'Server: Craft CMS'disclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
The primary mitigation for CVE-2026-41129 is to upgrade Craft CMS to version 4.17.9 or 5.9.15, which includes the necessary fixes. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests using the Gopher protocol or those containing suspicious URL patterns. Additionally, review and restrict permissions within the GraphQL schema, specifically limiting access to "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Monitor Craft CMS logs for unusual outbound requests, particularly those using the Gopher protocol. After upgrading, confirm the fix by attempting a Gopher-based request through the GraphQL interface and verifying that it is blocked.
Werk Craft CMS bij naar versie 4.17.9 of hoger, of naar versie 5.9.15 of hoger om de SSRF-kwetsbaarheid te mitigeren. Zorg ervoor dat de permissies 'Activa bewerken in het volume <VolumeName>' en 'Activa aanmaken in het volume <VolumeName>' correct zijn geconfigureerd in het GraphQL schema.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-41129 is a Server-Side Request Forgery vulnerability in Craft CMS versions 5.0.0-RC1 through 5.9.14, allowing attackers to bypass filters and access internal services.
You are affected if you are running Craft CMS versions 5.0.0-RC1 through 5.9.14 and have not upgraded to 4.17.9 or 5.9.15.
Upgrade Craft CMS to version 4.17.9 or 5.9.15. Consider WAF rules and restricting GraphQL permissions as temporary mitigations.
There are currently no reports of active exploitation, but public PoCs are likely to emerge.
Refer to the official Craft CMS security advisory on their website for the latest information and updates.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.