CVE-2026-28423
Published: 27 February 2026
Summary
CVE-2026-28423 is a medium-severity SSRF (CWE-918) vulnerability in Statamic Statamic. Its CVSS base score is 6.8 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2026-28423 is a server-side request forgery (SSRF) vulnerability, classified under CWE-918, affecting Statamic, a Laravel and Git-powered content management system (CMS). The issue resides in the Glide image manipulation component when operated in insecure mode, which is not the default configuration. In versions prior to 5.73.11 and 6.4.0, the image proxy can be abused to force the server to issue HTTP requests to attacker-specified endpoints.
Unauthenticated attackers can exploit this vulnerability remotely by supplying malicious URLs either directly or through the watermark feature in Glide's insecure mode. Successful exploitation enables the attacker to access internal services, cloud metadata endpoints, and other hosts reachable from the compromised server, potentially leading to information disclosure with a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N).
The Statamic security advisory (GHSA-cwpp-325q-2cvp) and release notes confirm the vulnerability has been addressed in versions 5.73.11 and 6.4.0. Security practitioners should upgrade to these patched versions and review configurations to ensure Glide is not enabled in insecure mode.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9092
Vulnerability details
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated…
more
user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing CMS enables initial access via T1190; directly facilitates querying cloud metadata endpoints for discovery (T1522) and credential theft (T1552.005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved information flows so the server cannot be tricked into issuing HTTP requests to arbitrary internal or external endpoints via the Glide proxy.
Boundary-protection rules can deny or proxy outbound connections from the CMS to internal services and cloud metadata endpoints that the SSRF vector targets.
Requires prompt application of the vendor patches (5.73.11 / 6.4.0) that close the insecure Glide proxy path described in the CVE.