PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45660 statamic CVE debrief

Statamic CMS versions prior to 5.73.22 and 6.18.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the Glide image proxy component. The vulnerability exists because URL validation for the Glide image proxy did not properly normalize IP address representations before checking whether they resolve to public IP addresses. This validation bypass allows unauthenticated attackers to supply URLs that, when processed by the Glide proxy, cause the server to initiate HTTP requests to internal network destinations including loopback addresses (127.0.0.1), private RFC 1918 network ranges, and cloud metadata service endpoints (such as 169.254.169.254). The attack vector requires that the Statamic site passes user-supplied URLs to the Glide image processing functionality. Sites running on PHP 8.3 or newer are not affected due to changes in PHP's URL handling behavior. The vulnerability is classified as CWE-918 (Server-Side Request Forgery) and carries a CVSS 3.1 score of 5.4 (Medium severity), reflecting network attack vector, high attack complexity, no required privileges, no user interaction, changed scope, and low impacts to confidentiality and integrity with no availability impact. This vulnerability was disclosed on May 29, 2026 and is not currently listed in CISA's Known Exploited Vulnerabilities catalog.

Vendor
statamic
Product
cms
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations running Statamic CMS versions prior to 5.73.22 or 6.18.1 on PHP versions prior to 8.3, particularly those exposing Glide image processing functionality with user-supplied URLs. Cloud-hosted deployments are at elevated risk due to potential cloud metadata service access. Security teams responsible for SSRF prevention and application security posture management should prioritize assessment and patching.

Technical summary

The Statamic CMS Glide image proxy component fails to normalize IP address representations before validating whether a URL resolves to a public IP address. This allows attackers to use alternative IP representations (such as decimal, hexadecimal, or octal encodings, or IPv6-mapped IPv4 addresses) that bypass the public-IP check but are subsequently interpreted by the underlying HTTP client as internal addresses. Successful exploitation enables unauthenticated SSRF attacks against internal infrastructure including cloud metadata services. The vulnerability is present in PHP versions prior to 8.3 due to differences in URL parsing behavior.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Statamic CMS to version 5.73.22 or 6.18.1 or later to remediate this vulnerability
  • Verify PHP version: sites running PHP 8.3 or newer are not affected by this vulnerability
  • Review application configurations to identify any custom Glide proxy implementations that may replicate the vulnerable URL validation logic
  • Implement network egress filtering to restrict outbound HTTP requests from web application servers to prevent SSRF exploitation as a defense-in-depth measure
  • Monitor application logs for anomalous outbound HTTP requests originating from the Glide image processing functionality, particularly to internal IP ranges
  • If immediate patching is not feasible, consider disabling user-supplied URL processing in Glide or implementing additional URL validation that normalizes IP representations before public-IP checks
  • Review cloud metadata service access controls and implement IMDSv2 (Instance Metadata Service version 2) on AWS or equivalent protections on other cloud platforms to mitigate metadata service exposure

Evidence notes

Vulnerability description sourced from NVD record published 2026-05-29T18:17:11.640Z. Affected versions and fix versions confirmed via GitHub Security Advisory GHSA-pf9c-ch8r-2958. PHP 8.3 immunity claim derived from vendor advisory. CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N sourced from NVD. CWE-918 classification sourced from NVD weaknesses field.

Official resources

2026-05-29