Craft CMS 5.x Security Vulnerabilities: Patch CVE-2026 Now

Background: Another Security Patch Cycle for Craft

Craft CMS has had a busy security year. Following critical vulnerabilities disclosed in 2024 and 2025, including CVE-2025-32432 (a critical RCE with a CVSS score of 10.0), the Craft security team has continued patching issues as researchers report them. These Craft CMS security vulnerabilities highlight the importance of staying current with updates.

The three new CVEs were published between February 9-10, 2026. All share the same fix: updating to version 5.8.22 (or 4.16.18 for Craft 4 users). The Craft CMS security update February 2026 addresses all three issues simultaneously.

Breaking Down the Three Vulnerabilities

CVE-2026-25493: SSRF Bypass via Redirects

Severity: CVSS v4 6.9 (Medium)
Component: GraphQL saveAsset mutation

Craft validates the initial URL hostname and IP against a blocklist when processing asset uploads. The problem is that Guzzle, the underlying HTTP client, follows redirects by default. An attacker can craft a URL that passes initial validation, then redirects to internal targets like cloud metadata services.

This matters because SSRF attacks against cloud metadata endpoints can expose credentials and service tokens. The CVE-2026-25493 fix is included in the latest patch release.

CVE-2026-25494: SSRF Blocklist Bypass via Alternative IP Notations

Severity: Undergoing Analysis (no CVSS score yet)
Component: GraphQL saveAsset mutation

Craft uses filter_var() with FILTER_VALIDATE_IP to block certain IPs. Alternative representations like hexadecimal or mixed notation can bypass these checks, giving attackers another path to internal resources. This Craft CMS SSRF vulnerability affects GraphQL asset handling.

CVE-2026-25495: SQL Injection in Element Indexes

Severity: CVSS v4 8.7 (High)
Component: Control Panel endpoint element-indexes/get-elements

A JSON body parameter criteria[orderBy] isn't properly sanitized before being used in a database query's ORDER BY clause. Exploitation requires Control Panel access, which limits the attack surface but still poses a threat if an attacker compromises any admin account. The Craft CMS SQL injection patch resolves this critical issue.

Affected Versions

Craft 5.x: Vulnerable Range 5.0.0-RC1 through 5.8.21, Fixed Version 5.8.22

Craft 4.x: Vulnerable Range 4.0.0-RC1 through 4.16.17, Fixed Version 4.16.18

How This Affects Your Craft Installation

The real-world risk depends heavily on your specific setup.

The two SSRF vulnerabilities target the GraphQL API, specifically the saveAsset mutation. If you don't expose GraphQL publicly, or if you've restricted permissions for asset mutations, your exposure is limited. Cloud-hosted Craft installations face higher risk since SSRF attacks can reach metadata services and expose sensitive tokens. Craft CMS GraphQL security should be a priority for all installations.

Our experience shows that many teams enable GraphQL during development and forget to lock it down for production. It's worth auditing your GraphQL schema permissions alongside this update.

The SQL Injection vulnerability requires authenticated Control Panel access. While this narrows the attack surface, it still poses a threat in environments with untrusted CP users or weak admin credentials. Craft CMS control panel security remains essential.

No active exploitation has been reported for these specific CVEs as of mid-February 2026, and no public proof-of-concept code has surfaced. But given how quickly attackers weaponize Craft vulnerabilities (CVE-2025-32432 saw active exploitation shortly after disclosure), waiting isn't advisable.

What You Should Do

The fix is straightforward: update Craft CMS to version 5.8.22 (or 4.16.18 for the 4.x branch). This single update addresses all three CVEs. The Craft CMS 5.8.22 update is the recommended path forward.

We typically suggest treating this as a priority update rather than bundling it with your next feature release. Security patches deserve their own deployment cycle.

Before Updating

• Back up your database and files
• Test the update in a staging environment
• Review the changelog for any breaking changes
• Plan a maintenance window for production

After Updating

• Verify your Craft version in the Control Panel
• Review your GraphQL schema permissions
• Check that asset mutations are appropriately restricted
• If you're on cloud infrastructure, consider implementing metadata service controls (like IMDSv2 on AWS)

Consolidation Opportunity

For teams running multiple Craft installations, version 5.8.22 is a good consolidation point. It also includes fixes for CVE-2026-25498 (an authenticated RCE) and addresses issues from the earlier CVE-2025-68437.

Summary

Three security vulnerabilities in Craft CMS were published in February 2026, ranging from Medium to High severity. The affected components, GraphQL asset mutations and a Control Panel endpoint, vary in exposure based on your configuration. A single update to version 5.8.22 (or 4.16.18) resolves all of them. Applying this Craft CMS vulnerability patch promptly is strongly recommended.

We've found that security updates go smoother when they're planned rather than rushed. If you're managing Craft CMS installations and need help assessing your exposure to these vulnerabilities, or want support planning and testing the update, our team can walk you through the process and verify your GraphQL configuration afterward.