{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41129", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-17T12:59:15.737Z", "datePublished": "2026-04-21T23:34:56.801Z", "dateUpdated": "2026-04-21T23:34:56.801Z"}, "containers": {"cna": {"title": "Craft CMS has Server-Side Request Forgery (SSRF) with Asset Uploads Mutations", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"}, {"name": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f", "tags": ["x_refsource_MISC"], "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f"}], "affected": [{"vendor": "craftcms", "product": "cms", "versions": [{"version": ">= 5.0.0-RC1, < 5.9.15", "status": "affected"}, {"version": ">= 4.0.0-RC1, < 4.17.9", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T23:34:56.801Z"}, "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue."}], "source": {"advisory": "GHSA-3m9m-24vh-39wx", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Craft CMS is a content management system (CMS). Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: \"Edit assets in the <VolumeName> volume\" and \"Create assets in the <VolumeName> volume.\" Versions 4.17.9 and 5.9.15 patch the issue."}], "id": "CVE-2026-41129", "lastModified": "2026-04-22T00:16:28.733", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-22T00:16:28.733", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/commit/d20aecfaa0eae076c4154be3b17e1f9fa05ce46f"}, {"source": "security-advisories@github.com", "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3m9m-24vh-39wx"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T02:09:28.701672+00:00", "value": {"mitigation_remediation": ["Upgrade Craft CMS to version 4.17.9 or newer, or 5.9.15 or newer, whichever applies to your deployment. ", "Revoke the \"Edit assets\" and \"Create assets\" permissions for volumes in the GraphQL schema for all users except those who legitimately need them. ", "If immediate patching is not possible, block or remove the asset upload mutation endpoint from the GraphQL schema to prevent exploitation. "], "summary": {"action": "Apply Patch", "impact": "Server-Side Request Forgery"}, "threat_synthesis": {"affected_systems": "Affected products are Craft CMS on the 4.x and 5.x branches. The vulnerable releases are those dated 4.17.8 or earlier on 4.x, and 5.9.14 or earlier on 5.x. The issue is fixed in 4.17.9 and 5.9.15, respectively.", "description_and_impact": "Craft CMS versions up to 4.17.8 on the 4.x branch and 5.9.14 on the 5.x branch contain a Server\u2011Side Request Forgery vulnerability that enables an attacker to have the application initiate requests from the server to arbitrary URLs. The flaw is exposed through GraphQL asset upload mutations, and requires that the attacker have the \"Edit assets\" and \"Create assets\" permissions for a target volume. The vulnerability is classified as CWE\u2011918 and allows potential exposure of internal resources, data leakage, or attack surface expansion on the server.", "risk_and_exploitability": "The CVSS score of 5.5 indicates a moderate risk, and no EPSS score is reported. The vulnerability is not listed in CISA KEV. Attack requires specific GraphQL permissions that may not be granted to all users, which limits the exposure to environments where those permissions are enabled. A successful exploitation would let a malicious actor explore internal networks from the CMS server, potentially leading to further attacks."}}}}, "created": "2026-04-22T02:15:05.402218+00:00", "updated": "2026-04-22T02:15:05.402228+00:00", "vendors": []}