Description
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the saveAsset GraphQL mutation uses filter_var(..., FILTER_VALIDATE_IP) to block a specific list of IP addresses. However, alternative IP notations (hexadecimal, mixed) are not recognized by this function, allowing attackers to bypass the blocklist and access cloud metadata services. This issue is patched in versions 4.16.18 and 5.8.22.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/craftcms/cms/security/advisories/GHSA-m5r2-8p9x-hp5m
Patch x_refsource_misc
https://github.com/craftcms/cms/commit/d49e93e5ba0c48939ce5eaa6cd9b4a990542d8b2
Release Notes x_refsource_misc
https://github.com/craftcms/cms/releases/tag/5.8.22
Scores
CVSS v3
6.5
EPSS
0.0002
EPSS Percentile
4.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-918
Status
published
Products (4)
craftcms/cms
5.0.0-RC1 - 5.8.22Packagist
craftcms/craft_cms
4.0.0 (4 CPE variants)
craftcms/craft_cms
5.0.0 rc1
craftcms/craft_cms
4.0.0 - 4.16.18
Published
Feb 09, 2026
Tracked Since
Feb 18, 2026