Plataforma
php
Componente
craftcms
Corrigido em
5.0.1
4.0.1
5.9.15
CVE-2026-41129 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Craft CMS. This flaw allows attackers to bypass filtering mechanisms and potentially access internal services within the application. The vulnerability affects versions 5.0.0-RC1 through 5.9.14, and a fix is available in version 4.17.9 and 5.9.15.
The SSRF vulnerability in Craft CMS arises from a lack of URL scheme restriction within the GraphQL asset upload functionality. While intended for asset uploads, the application doesn't enforce a whitelist for protocols like http or https. This oversight enables attackers to leverage the Gopher protocol to embed raw TCP commands. Combined with a DWORD bypass, this allows attackers to target internal services without triggering common string-matching filters, effectively bypassing security controls. The potential impact includes unauthorized access to sensitive data, internal network scanning, and potentially even remote code execution if internal services are vulnerable.
CVE-2026-41129 was publicly disclosed on 2026-04-21. The vulnerability requires specific permissions within the GraphQL schema, limiting the scope of potential exploitation. Public proof-of-concept (PoC) code is likely to emerge given the relatively straightforward nature of SSRF exploitation. The vulnerability is not currently listed on CISA KEV, and there are no reports of active exploitation campaigns at this time.
Organizations using Craft CMS in environments with exposed GraphQL endpoints and where users have permissions to edit or create assets within volumes are at increased risk. Shared hosting environments where multiple users share the same Craft CMS instance are particularly vulnerable, as a compromised user account could be leveraged to exploit the SSRF vulnerability.
• php / server:
grep -r 'gopher:' /var/www/craftcms/config/general.php
grep -r 'gopher:' /var/www/craftcms/modules/*• generic web:
curl -I 'http://your-craftcms-site.com/graphql' | grep 'Server: Craft CMS'disclosure
Status do Exploit
EPSS
0.04% (percentil 11%)
CISA SSVC
The primary mitigation for CVE-2026-41129 is to upgrade Craft CMS to version 4.17.9 or 5.9.15, which includes the necessary fixes. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) rule to block requests using the Gopher protocol or those containing suspicious URL patterns. Additionally, review and restrict permissions within the GraphQL schema, specifically limiting access to "Edit assets in the <VolumeName> volume" and "Create assets in the <VolumeName> volume." Monitor Craft CMS logs for unusual outbound requests, particularly those using the Gopher protocol. After upgrading, confirm the fix by attempting a Gopher-based request through the GraphQL interface and verifying that it is blocked.
Atualize Craft CMS para a versão 4.17.9 ou superior, ou para a versão 5.9.15 ou superior para mitigar a vulnerabilidade de SSRF. Certifique-se de que as permissões 'Editar ativos no volume <VolumeName>' e 'Criar ativos no volume <VolumeName>' estejam configuradas corretamente no esquema GraphQL.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-41129 is a Server-Side Request Forgery vulnerability in Craft CMS versions 5.0.0-RC1 through 5.9.14, allowing attackers to bypass filters and access internal services.
You are affected if you are running Craft CMS versions 5.0.0-RC1 through 5.9.14 and have not upgraded to 4.17.9 or 5.9.15.
Upgrade Craft CMS to version 4.17.9 or 5.9.15. Consider WAF rules and restricting GraphQL permissions as temporary mitigations.
There are currently no reports of active exploitation, but public PoCs are likely to emerge.
Refer to the official Craft CMS security advisory on their website for the latest information and updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.