Vulnerability Description
Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing a domain name that resolves to an internal IP address, bypassing hostname validation. When a non-image file extension such as .txt is allowed, downstream image validation is bypassed, which can allow an authenticated attacker with permission to use save_images_Asset to retrieve sensitive data such as AWS instance metadata credentials from the underlying host. This issue is patched in versions 4.16.18 and 5.8.22.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | >= 3.5.0, < 4.16.18 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/e838a221df2ab15cd54248f22fc8355d47df29ffPatch
- https://github.com/craftcms/cms/releases/tag/5.8.22ProductRelease Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-96pq-hxpw-rgh8ExploitPatchVendor Advisory
FAQ
What is CVE-2026-25492?
CVE-2026-25492 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Craft CMS is a content management system. In Craft versions 3.5.0 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the save_images_Asset GraphQL mutation can be abused to fetch internal URLs by providing...
How severe is CVE-2026-25492?
CVE-2026-25492 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-25492?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.