DNS Rebinding Vulnerability in Craft CMS Affects Multiple Versions
CVE-2026-27127

7HIGH

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
24 February 2026

What is CVE-2026-27127?

Craft CMS, a popular content management system, has a vulnerability that arises due to the separate DNS resolution from HTTP requests in the GraphQL Asset mutation. This flaw allows attackers to perform DNS rebinding attacks by leveraging inconsistent responses from the DNS server during the validation and actual request phases. Exploiting this vulnerabilities requires specific permissions in the GraphQL schema, particularly for editing and creating assets within the affected volume. To mitigate this vulnerability, versions 4.16.19 and 5.8.23 have been released to patch the underlying issue and reinforce security.

Affected Version(s)

cms >= 4.5.0-RC1, < 4.16.19 < 4.5.0-RC1, 4.16.19

cms >= 5.0.0-RC1, < 5.8.23 < 5.0.0-RC1, 5.8.23

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_MISC
https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf...
x_refsource_MISC

CVSS V4

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.