Statamic Server-Side Request Forgery via Glide Image Manipulation

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.8

Statamic Server-Side Request Forgery via Glide Image Manipulation

CVE-2026-28423 GHSA-cwpp-325q-2cvp

Summary

An attacker can trick Statamic into making unauthorized requests to other websites or internal services, potentially exposing sensitive information. This issue is fixed in Statamic versions 5.73.11 and 6.4.0. Update to a fixed version to protect your site.

What to do

Update statamic cms to version 5.73.11.
Update statamic cms to version 6.4.0.

Affected software

Vendor	Product	Affected versions	Fix available
statamic	cms	<= 5.73.11	5.73.11
statamic	cms	> 6.0.0-alpha.1 , <= 6.4.0	6.4.0
statamic	statamic	<= 5.73.11	–
statamic	statamic	> 6.0.0 , <= 6.4.0	–

Original title

Statamic Vulnerable to Server-Side Request Forgery via Glide

Original description

### Impact

When Glide image manipulation is used in insecure mode (which is *not* the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server.

## Patches

This has been fixed in 5.73.11 and 6.4.0.

nvd CVSS3.1 8.6

Vulnerability type

CWE-918 Server-Side Request Forgery (SSRF)

https://github.com/statamic/cms/releases/tag/v5.73.11 Release Notes
https://github.com/statamic/cms/releases/tag/v6.4.0 Release Notes
https://github.com/statamic/cms/security/advisories/GHSA-cwpp-325q-2cvp Patch Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-28423
https://github.com/advisories/GHSA-cwpp-325q-2cvp

Published: 1 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026