MEDIUM 5.4

CVE-2026-45660: Statamic Glide SSRF via IP Representation Bypass

Statamic is a content management system built on Laravel that includes an image proxy feature called Glide. A flaw in how this proxy validates URLs allows attackers to bypass security checks by using alternate IP address formats that aren't properly normalized before validation. An unauthenticated attacker could exploit this to make the server fetch content from internal addresses—such as localhost, private networks, or cloud metadata services—potentially exposing sensitive information. The vulnerability only affects Statamic versions before 5.73.22 and 6.18.1, and does not impact deployments running PHP 8.3 or later.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-918
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.22 and 6.18.1, the Glide image proxy's URL validation could be bypassed using an IP representation that wasn't normalized before the public-IP check. An unauthenticated user could cause the server to make HTTP requests to internal addresses — including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. Sites running PHP 8.3 or newer are not affected. This vulnerability is fixed in 5.73.22 and 6.18.1.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient URL validation in Statamic's Glide image proxy. The public-IP check is performed after URL parsing but before IP representation normalization, creating a window where non-standard IP notations (such as octal, hexadecimal, or integer representations) can bypass the intended restrictions. An attacker crafts a URL using a disguised internal IP address—for example, an alternative numeric representation of 127.0.0.1 or 192.168.x.x—and supplies it as a user-controlled parameter to Glide. The proxy normalizes the IP only after the public-IP check passes, allowing the request to proceed to internal endpoints. This is classified as a Server-Side Request Forgery (SSRF) vulnerability under CWE-918. PHP 8.3's stricter IP validation prevents the bypass, making those deployments immune.

Business impact

This vulnerability enables attackers to conduct SSRF attacks against your internal infrastructure without authentication. An attacker could enumerate or access internal services, retrieve cloud metadata (potentially exposing API keys, instance credentials, or role information on AWS, Azure, GCP), or probe private network segments. If your Statamic instance uses Glide and accepts user-supplied image URLs, the attack surface is direct. Exposure is limited to information disclosure and minor integrity risks; no denial of service or code execution vector is present. However, in environments with permissive network segmentation or cloud deployments, metadata endpoint access could compromise authentication credentials.

Affected systems

Statamic versions 5.x prior to 5.73.22 and 6.x prior to 6.18.1 are vulnerable. The risk only materializes if your Statamic instance is configured to pass user-supplied URLs to the Glide image proxy. Deployments running on PHP 8.3 or newer are not affected due to PHP's built-in IP validation. Statamic installations on PHP 8.0, 8.1, or 8.2 with user-controllable image URL parameters require immediate attention.

Exploitability

Exploitation requires network access to the Statamic instance and knowledge that it accepts user-supplied image URLs via Glide. No authentication is needed. The attack is conceptually straightforward—craft an IP-obfuscated URL pointing to an internal endpoint—but requires some technical understanding of IP notation. The CVSS score reflects a MEDIUM severity with an access vector of Network, high complexity (AC:H indicates non-standard IP representations must be used), and confidentiality/integrity impact limited to information disclosure. While not in the CISA Known Exploited Vulnerabilities catalog, the relative simplicity and clear impact vector mean this should not be dismissed as theoretical.

Remediation

Upgrade Statamic to version 5.73.22 or 6.18.1 (or later). These releases implement proper IP normalization before the public-IP check, closing the bypass. Verify the patch version against the vendor advisory. If immediate patching is not feasible, disable user-supplied URL input to Glide or restrict the URLs accepted to a whitelist of approved domains. If running PHP 8.3 or newer, you are not vulnerable, but upgrading remains recommended for defense-in-depth and potential future issues.

Patch guidance

Apply the vendor-supplied updates: upgrade to Statamic 5.73.22 (for the 5.x line) or 6.18.1 (for the 6.x line) or newer. Test patches in a staging environment to confirm Glide functionality and any user-facing image proxy behavior remains intact. No manual configuration changes are required post-patch; the fix is transparent. If you are running PHP 8.3 or later, patching is still strongly advised for consistency and future-proofing, but the immediate exploitability risk is eliminated by the PHP runtime itself.

Detection guidance

Monitor HTTP access logs for requests to internal or private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1, etc.) originating from the Glide proxy endpoint. Watch for unusual Glide URL parameters containing non-standard IP notations (octal like 0177.0.0.1, hex, or integer formats). Check for requests to cloud metadata endpoints (e.g., 169.254.169.254 for AWS, 169.254.169.254 for Azure, metadata.google.internal). Correlate these with user input logs to identify attack attempts. Implement network-level segmentation to prevent Glide from making arbitrary outbound requests, or restrict outbound connections to approved domains only.

Why prioritize this

Although CVSS 5.4 is MEDIUM, the risk warrants prompt action because: (1) exploitation requires no authentication, (2) the attack vector is straightforward for technical users, (3) successful exploitation can leak sensitive credentials or metadata, and (4) many teams may not realize Glide is configured to accept user URLs. Prioritize this above patching for lower-severity authenticated-only flaws. However, if your Statamic instance does not use Glide with user-supplied URLs, or if you run PHP 8.3+, you can defer relative to critical/high-severity issues affecting your environment.

Risk score, explained

CVSS 3.1 score of 5.4 (MEDIUM) reflects: Network-accessible attack surface (AV:N), high complexity due to the need for non-standard IP notation (AC:H), no privileges required (PR:N), no user interaction (UI:N), changed scope allowing impact on a different system (S:C), limited confidentiality impact via metadata/credential leakage (C:L), limited integrity risk from potential poisoning (I:L), and no availability impact (A:N). The score does not account for context-specific factors such as whether your Glide proxy is internet-facing or whether you rely on cloud metadata—factors that would elevate risk in certain deployments.

Frequently asked questions

Does this affect all Statamic installations?

No. The vulnerability only manifests if your Statamic instance is configured to accept user-supplied image URLs and pass them to the Glide proxy. If Glide only processes URLs controlled by administrators or if image proxying is disabled, your risk is minimal. Additionally, deployments running PHP 8.3 or newer are not vulnerable.

What IP formats can bypass the URL check?

The vulnerability exploits alternative numeric representations of IP addresses: octal notation (e.g., 0177.0.0.1 for 127.0.0.1), hexadecimal (0x7f.0.0.1), and long-form integer representations. These formats are valid to IP parsers but may not be caught by string-based validation if normalization occurs too late in the logic flow.

Is this a remote code execution vulnerability?

No. This is strictly an information disclosure and SSRF vulnerability. It allows an attacker to cause your server to make requests to internal endpoints, potentially exposing metadata, configuration, or credentials, but not executing arbitrary code.

If we're on PHP 8.3, do we still need to patch Statamic?

Technically, PHP 8.3's stricter IP validation prevents exploitation on your current runtime. However, patching Statamic is still recommended for consistency, compatibility with future PHP versions, and defense-in-depth. Test carefully in staging before applying updates to ensure Glide behavior remains as expected.

This analysis is provided for informational purposes. The vulnerability details, affected versions, and patch versions are derived from the official CVE record and Statamic vendor advisory. No proof-of-concept or working exploit code is provided. Organizations should verify patch availability and test in a controlled environment before deploying to production. PHP version and Glide configuration must be confirmed to assess your specific risk. For the latest guidance, consult the vendor security advisory and your internal security policies. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).