CVE-2026-27127: Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding
The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.
This is a bypass of the security fix for CVE-2025-68437 (GHSA-x27p-wfqw-hfcc) that allows access to all blocked IPs, not just IPv6 endpoints.
References
- curl.se/libcurl/c/CURLOPT_RESOLVE.html
- github.com/advisories/GHSA-gp2f-7wcm-5fhx
- github.com/craftcms/cms
- github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575
- github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx
- github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc
- github.com/mogwailabs/DNSrebinder
- github.com/nccgroup/singularity
- github.com/taviso/rbndr
- nvd.nist.gov/vuln/detail/CVE-2026-27127
- unit42.paloaltonetworks.com/dns-rebinding
Code Behaviors & Features
Detect and mitigate CVE-2026-27127 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →