Description
Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.
Published: 2026-03-24
Score: 1.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Asset Metadata
Action: Patch
AI Analysis

Impact

Craft CMS exposes private asset editor metadata through the "assets/image-editor" endpoint. A user who has only low privileges can supply the ID of an asset that they normally cannot view and receive an editor response containing security-sensitive information such as focalPoint. The lack of per-asset authorization validation allows the disclosure of metadata that could reveal structural details of the private asset, thereby compromising confidentiality. The weakness corresponds to improper authorization and information disclosure.

Affected Systems

The flaw affects Craft CMS from version 4.0.0‑RC1 up to, but not including, 4.17.8, and from 5.0.0‑RC1 up to, but not including, 5.9.14. Any installation within these version ranges that still exposes the assets/image-editor route is vulnerable. The vendor is Craft CMS.

Risk and Exploitability

The CVSS score of 1.3 indicates a very low severity from the vendor’s perspective, and the EPSS score of less than 1% reflects a small likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread public exploitation. An attacker would need to authenticate at a lower privilege level and then craft an HTTP request to the exposed endpoint with an arbitrary asset ID. No additional conditions or exploit scripts are publicly documented, so the risk for most deployments remains minimal but should be mitigated promptly.

Generated by OpenCVE AI on March 26, 2026 at 18:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Craft CMS to version 4.17.8 or later, or to 5.9.14 or later, to apply the vendor patch that restores proper authorization checks for the assets/image-editor endpoint.

Generated by OpenCVE AI on March 26, 2026 at 18:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vgjg-248p-rfm2 Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users
History

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms craft Cms
CPEs cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:4.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:-:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
Vendors & Products Craftcms craft Cms
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Tue, 24 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. This issue has been patched in versions 4.17.8 and 5.9.14.
Title Craft CMS: Anonymous "assets/image-editor" calls returns private asset editor metadata to unauthorized users
Weaknesses CWE-200
CWE-862
References
Metrics cvssV4_0

{'score': 1.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Craftcms Craft Cms Craftcms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T18:02:07.070Z

Reserved: 2026-03-17T21:17:08.887Z

Link: CVE-2026-33161

cve-icon Vulnrichment

Updated: 2026-03-24T18:01:57.000Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T18:16:10.250

Modified: 2026-03-26T17:09:11.247

Link: CVE-2026-33161

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:54Z

Weaknesses