CVE-2026-45660: Statamic Glide SSRF via IP Representation Bypass
Statamic is a content management system built on Laravel that includes an image proxy feature called Glide. A flaw in how this proxy validates URLs allows attackers to bypass security checks by using alternate IP address formats that aren't properly normalized before validation. An unauthenticated attacker could exploit this to make the server fetch content from internal addresses—such as localhost, private networks, or cloud metadata services—potentially exposing sensitive information. The vulnerability only affects Statamic versions before 5.73.22 and 6.18.1, and does not impact deployments running PHP 8.3 or later.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-918
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from insufficient URL validation in Statamic's Glide image proxy. The public-IP check is performed after URL parsing but before IP representation normalization, creating a window where non-standard IP notations (such as octal, hexadecimal, or integer representations) can bypass the intended restrictions. An attacker crafts a URL using a disguised internal IP address—for example, an alternative numeric representation of 127.0.0.1 or 192.168.x.x—and supplies it as a user-controlled parameter to Glide. The proxy normalizes the IP only after the public-IP check passes, allowing the request to proceed to internal endpoints. This is classified as a Server-Side Request Forgery (SSRF) vulnerability under CWE-918. PHP 8.3's stricter IP validation prevents the bypass, making those deployments immune.
Business impact
This vulnerability enables attackers to conduct SSRF attacks against your internal infrastructure without authentication. An attacker could enumerate or access internal services, retrieve cloud metadata (potentially exposing API keys, instance credentials, or role information on AWS, Azure, GCP), or probe private network segments. If your Statamic instance uses Glide and accepts user-supplied image URLs, the attack surface is direct. Exposure is limited to information disclosure and minor integrity risks; no denial of service or code execution vector is present. However, in environments with permissive network segmentation or cloud deployments, metadata endpoint access could compromise authentication credentials.
Affected systems
Statamic versions 5.x prior to 5.73.22 and 6.x prior to 6.18.1 are vulnerable. The risk only materializes if your Statamic instance is configured to pass user-supplied URLs to the Glide image proxy. Deployments running on PHP 8.3 or newer are not affected due to PHP's built-in IP validation. Statamic installations on PHP 8.0, 8.1, or 8.2 with user-controllable image URL parameters require immediate attention.
Exploitability
Exploitation requires network access to the Statamic instance and knowledge that it accepts user-supplied image URLs via Glide. No authentication is needed. The attack is conceptually straightforward—craft an IP-obfuscated URL pointing to an internal endpoint—but requires some technical understanding of IP notation. The CVSS score reflects a MEDIUM severity with an access vector of Network, high complexity (AC:H indicates non-standard IP representations must be used), and confidentiality/integrity impact limited to information disclosure. While not in the CISA Known Exploited Vulnerabilities catalog, the relative simplicity and clear impact vector mean this should not be dismissed as theoretical.
Remediation
Upgrade Statamic to version 5.73.22 or 6.18.1 (or later). These releases implement proper IP normalization before the public-IP check, closing the bypass. Verify the patch version against the vendor advisory. If immediate patching is not feasible, disable user-supplied URL input to Glide or restrict the URLs accepted to a whitelist of approved domains. If running PHP 8.3 or newer, you are not vulnerable, but upgrading remains recommended for defense-in-depth and potential future issues.
Patch guidance
Apply the vendor-supplied updates: upgrade to Statamic 5.73.22 (for the 5.x line) or 6.18.1 (for the 6.x line) or newer. Test patches in a staging environment to confirm Glide functionality and any user-facing image proxy behavior remains intact. No manual configuration changes are required post-patch; the fix is transparent. If you are running PHP 8.3 or later, patching is still strongly advised for consistency and future-proofing, but the immediate exploitability risk is eliminated by the PHP runtime itself.
Detection guidance
Monitor HTTP access logs for requests to internal or private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1, etc.) originating from the Glide proxy endpoint. Watch for unusual Glide URL parameters containing non-standard IP notations (octal like 0177.0.0.1, hex, or integer formats). Check for requests to cloud metadata endpoints (e.g., 169.254.169.254 for AWS, 169.254.169.254 for Azure, metadata.google.internal). Correlate these with user input logs to identify attack attempts. Implement network-level segmentation to prevent Glide from making arbitrary outbound requests, or restrict outbound connections to approved domains only.
Why prioritize this
Although CVSS 5.4 is MEDIUM, the risk warrants prompt action because: (1) exploitation requires no authentication, (2) the attack vector is straightforward for technical users, (3) successful exploitation can leak sensitive credentials or metadata, and (4) many teams may not realize Glide is configured to accept user URLs. Prioritize this above patching for lower-severity authenticated-only flaws. However, if your Statamic instance does not use Glide with user-supplied URLs, or if you run PHP 8.3+, you can defer relative to critical/high-severity issues affecting your environment.
Risk score, explained
CVSS 3.1 score of 5.4 (MEDIUM) reflects: Network-accessible attack surface (AV:N), high complexity due to the need for non-standard IP notation (AC:H), no privileges required (PR:N), no user interaction (UI:N), changed scope allowing impact on a different system (S:C), limited confidentiality impact via metadata/credential leakage (C:L), limited integrity risk from potential poisoning (I:L), and no availability impact (A:N). The score does not account for context-specific factors such as whether your Glide proxy is internet-facing or whether you rely on cloud metadata—factors that would elevate risk in certain deployments.
Frequently asked questions
Does this affect all Statamic installations?
No. The vulnerability only manifests if your Statamic instance is configured to accept user-supplied image URLs and pass them to the Glide proxy. If Glide only processes URLs controlled by administrators or if image proxying is disabled, your risk is minimal. Additionally, deployments running PHP 8.3 or newer are not vulnerable.
What IP formats can bypass the URL check?
The vulnerability exploits alternative numeric representations of IP addresses: octal notation (e.g., 0177.0.0.1 for 127.0.0.1), hexadecimal (0x7f.0.0.1), and long-form integer representations. These formats are valid to IP parsers but may not be caught by string-based validation if normalization occurs too late in the logic flow.
Is this a remote code execution vulnerability?
No. This is strictly an information disclosure and SSRF vulnerability. It allows an attacker to cause your server to make requests to internal endpoints, potentially exposing metadata, configuration, or credentials, but not executing arbitrary code.
If we're on PHP 8.3, do we still need to patch Statamic?
Technically, PHP 8.3's stricter IP validation prevents exploitation on your current runtime. However, patching Statamic is still recommended for consistency, compatibility with future PHP versions, and defense-in-depth. Test carefully in staging before applying updates to ensure Glide behavior remains as expected.
This analysis is provided for informational purposes. The vulnerability details, affected versions, and patch versions are derived from the official CVE record and Statamic vendor advisory. No proof-of-concept or working exploit code is provided. Organizations should verify patch availability and test in a controlled environment before deploying to production. PHP version and Glide configuration must be confirmed to assess your specific risk. For the latest guidance, consult the vendor security advisory and your internal security policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10052MEDIUMQuay SSRF in LDAP/SMTP Validation—Internal Network Reconnaissance Risk
- CVE-2026-10177MEDIUMSSRF in Aider-AI Aider 0.86.3 AWS Metadata Endpoint
- CVE-2026-10239MEDIUMJeecgBoot Server-Side Request Forgery (SSRF) in Word Editing Module
- CVE-2026-10240MEDIUMJeecgBoot SSRF Vulnerability in /airag/airagModel/test Endpoint
- CVE-2026-10241MEDIUMJimuReport SSRF in File Download Function – Patch to 3.9.2
- CVE-2026-10274MEDIUMServer-Side Request Forgery in aem-mcp-server
- CVE-2026-10276MEDIUMJenkins-server-mcp SSRF Vulnerability (0.1.0)
- CVE-2026-10517MEDIUMClair SSRF Vulnerability – Unfiltered HTTP Requests Leak Metadata