Web Application Vulnerabilities Runtime SCA Findings
Looking for the vulnerability index of Invicti's legacy products?
Invicti Enterprise Acunetix Standard & Premium
Craft CMS Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability - CVE-2026-27127 - Vulnerability Database
Craft CMS

Craft CMS Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability - CVE-2026-27127

Medium
Reference: CVE-2026-27127
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2026-27127
Title: Craft CMS Time-of-check Time-of-use (TOCTOU) Race Condition Vulnerability
Overview:

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 the SSRF validation in Craft CMSs GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks where an attackers DNS server returns different IP addresses for validation compared to the actual request. This is a bypass of the security fix for CVE-2025-68437 that allows access to all blocked IPs not just IPv6 endpoints. Exploitation requires GraphQL schema permissions for editing assets in the ltVolumeNamegt volume and creating assets in the ltVolumeNamegt volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.