TL;DR:
Server-Side Request Forgery in Statamic CMS's Glide image manipulation proxy allows unauthenticated attackers to make the server send HTTP requests to arbitrary URLs, including internal services and cloud metadata endpoints.
Summary
Discovered a Server-Side Request Forgery (SSRF) vulnerability in Statamic CMS, a popular Laravel-based flat-file content management system. When Glide image manipulation is used in insecure mode (not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs — either via the URL directly or via the watermark feature. This allows access to internal services, cloud metadata endpoints, and other hosts reachable from the server.
CVE ID: CVE-2026-28423
Advisory: GHSA-cwpp-325q-2cvp
CWE: CWE-918 — Server-Side Request Forgery (SSRF)
Affected Versions: Statamic < 5.73.11, < 6.4.0
Fixed in: Statamic 5.73.11, 6.4.0
Patch
Fixed in Statamic 5.73.11 and Statamic 6.4.0 via PR #14101.