CVE-2026-54242 in Statamicinfo

Summary

by MITRE • 07/18/2026

Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, the Glide image proxy's URL validation in src/Imaging/RemoteUrlValidator.php and src/Imaging/GuzzleAdapter.php could be bypassed using DNS rebinding. The remote hostname was validated as publicly routable, but resolved again when the image was actually fetched, so an attacker controlling the hostname's DNS could rebind it to an internal address after validation and cause the server to make HTTP requests to internal addresses, including loopback, private network, and cloud metadata endpoints. This affects sites that pass user-supplied URLs to Glide. This issue is fixed in versions 5.73.24 and 6.20.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/18/2026

The vulnerability in Statamic CMS represents a critical DNS rebinding attack vector that exploits the image proxy functionality within the Glide component. This flaw exists in versions prior to 5.73.24 and 6.20.1 where the remote URL validation process fails to maintain consistent hostname resolution throughout the request lifecycle. The vulnerability specifically impacts the src/Imaging/RemoteUrlValidator.php and src/Imaging/GuzzleAdapter.php files that handle external image fetching operations.

The technical implementation of this vulnerability stems from a validation pattern that initially checks if a hostname is publicly routable but does not enforce persistent resolution constraints during actual image retrieval. When user-supplied URLs are processed through the Glide proxy system, the initial validation permits seemingly legitimate public hostnames while failing to prevent subsequent DNS resolution changes that could redirect requests to internal network addresses. This creates an environment where attackers can manipulate DNS records between the validation phase and the actual HTTP request execution.

The operational impact of this vulnerability is severe as it enables attackers to conduct internal network reconnaissance and potentially exploit vulnerable services running on internal addresses. The attack vector specifically targets loopback interfaces, private IP ranges, and cloud metadata endpoints that are commonly accessible from within application servers. This allows adversaries to discover internal services, extract sensitive information from cloud instances, or even perform service enumeration against internal infrastructure that would normally be protected by network segmentation.

This vulnerability aligns with CWE-1035 which addresses DNS rebinding attacks and maps to ATT&CK technique T1016 for system network configuration discovery. The flaw demonstrates poor input validation practices in web applications where external resource handling does not maintain consistent security boundaries throughout the request processing pipeline. The issue particularly affects organizations that rely heavily on user-generated content or external image sources, as these scenarios create opportunities for attackers to inject malicious URLs into the Glide proxy system.

Security mitigations should focus on implementing strict hostname resolution enforcement that prevents DNS changes between validation and execution phases. Organizations should update to Statamic versions 5.73.24 or 6.20.1 which contain proper fixes for this vulnerability. Additional defensive measures include implementing network segmentation, restricting outbound HTTP requests from application servers, and deploying DNS monitoring solutions to detect unauthorized DNS rebinding attempts. The fix addresses the core validation logic by ensuring hostname resolution remains consistent throughout the entire request lifecycle rather than allowing dynamic DNS resolution changes that could redirect traffic to unintended internal destinations.

Responsible

GitHub M

Reservation

06/12/2026

Disclosure

07/18/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!