Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized disclosure of private assets via transform URLs
Action: Patch Immediately
AI Analysis

Impact

Craft CMS versions from 4.0.0‑RC1 up to but excluding 4.17.8, and from 5.0.0‑RC1 up to but excluding 5.9.14 expose a vulnerability that allows any unauthenticated user to request a transform of a private asset. The asset‑generation endpoint does not enforce per‑asset authorization before generating a signed transform URL, which can then be used to retrieve the content. The result is a partial privilege escalation that permits disclosure of confidential images or media. No remote code execution or denial‑of‑service capabilities are present, which aligns with the CVSS score of 2.7.

Affected Systems

All installations of Craft CMS between the specified ranges are affected. The vulnerability applies to releases 4.0.0‑RC1 through 4.17.7 and 5.0.0‑RC1 through 5.9.13. The issue has been fixed in version 4.17.8 and in 5.9.14. Vendors and product maintainers listed are CraftCMS (Craft CMS).

Risk and Exploitability

The CVSS score of 2.7 indicates moderate severity, primarily due to the lack of authentication for the request. The EPSS score is below 1 % and the vulnerability is not tracked in CISA’s KEV catalog, suggesting that the likelihood of widespread exploitation is low. Nonetheless, the attack can be performed simply by knowing the asset ID and accessing the transform endpoint, allowing the attacker to exfiltrate private asset data. The impact is limited to confidentiality and integrity of the assets, terminating after the transform is performed. Consequently, administrators should treat it as a low‑to‑moderate risk that still warrants prompt mitigations.

Generated by OpenCVE AI on March 26, 2026 at 15:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading Craft CMS to version 4.17.8 or later, or 5.9.14 or later.
  • If an immediate upgrade is not feasible, enforce access control on the /assets/generate-transform endpoint by restricting it to authenticated users via application configuration or firewall rules.
  • Verify that the patched versions are in use by checking the CMS version number or reviewing the installed package list.

Generated by OpenCVE AI on March 26, 2026 at 15:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5pgf-h923-m958 Craft CMS may expose private assets through anonymous "generate transform" calls via transform URL
History

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, an unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes. The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL. This issue has been patched in versions 4.17.8 and 5.9.14.
Title Craft CMS: Anonymous "generate transform" calls for assets can expose private assets via transform URL
Weaknesses CWE-639
CWE-862
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:13.700Z

Reserved: 2026-03-17T21:17:08.887Z

Link: CVE-2026-33160

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:33.524Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:10.087

Modified: 2026-03-26T14:09:00.590

Link: CVE-2026-33160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:55Z

Weaknesses