Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Private Asset Contents
Action: Apply Patch
AI Analysis

Impact

Craft CMS versions between 4.0.0‑RC1 and 4.17.7 and between 5.0.0‑RC1 and 5.9.13 expose a flaw where the assets/edit‑image endpoint returns image bytes or redirects to a preview without checking whether the authenticated user has permission to view the requested asset. This lack of per‑asset authorization allows a low‑privileged, authenticated user to retrieve private file contents, potentially leaking sensitive data and violating data confidentiality policies. The weakness is an improper authorization issue (CWE‑639).

Affected Systems

The affected product is Craft CMS (craftcms:cms). Vulnerable releases include all builds from 4.0.0‑RC1 up to not including 4.17.8, and from 5.0.0‑RC1 up to but not including 5.9.14.

Risk and Exploitability

The CVSS score of 4.9 indicates medium severity, and the EPSS score is below 1%, suggesting low current exploit prevalence. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to authenticate to the site with a user that has at least low‑privilege status, then craft an HTTP(S) request to assets/edit‑image with an arbitrary assetId. No additional privileges or network exposure are needed, making the attack relatively straightforward for an authenticated user within the application.

Generated by OpenCVE AI on March 26, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.8 or later, or to 5.9.14 or later.

Generated by OpenCVE AI on March 26, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3pvf-vxrv-hh9c Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Title Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 4.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T20:24:48.917Z

Reserved: 2026-03-17T21:17:08.886Z

Link: CVE-2026-33158

cve-icon Vulnrichment

Updated: 2026-03-24T20:24:41.104Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:09.750

Modified: 2026-03-26T17:08:28.117

Link: CVE-2026-33158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:57Z

Weaknesses