DNS Rebinding Vulnerability in Statamic CMS Affecting User-Submitted URLs
CVE-2026-54242
What is CVE-2026-54242?
Statamic CMS, a content management system utilizing Laravel and Git, is susceptible to a DNS rebinding vulnerability in its Glide image proxy. Prior to versions 5.73.24 and 6.20.1, the URL validation mechanism in Glide could be bypassed, allowing an attacker to manipulate DNS records. This oversight allows for remote hostname validation and potential re-binding to internal server addresses post-validation. Consequently, an attacker could exploit this flaw to initiate HTTP requests to internal resources, including cloud metadata and private network endpoints, particularly affecting installations that handle user-provided URLs. Users are encouraged to upgrade to the latest versions to mitigate this vulnerability.
Affected Version(s)
cms < 5.73.24 < 5.73.24
cms >= 6.0.0, < 6.20.1 < 6.0.0, 6.20.1
