Description
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS contains a missing authorization flaw in the assets/preview-thumb endpoint. A Control Panel user that lacks permission to view a private asset can invoke the endpoint with any asset identifier and obtain preview HTML that includes a signed fallback preview link for that private asset. The vulnerability therefore allows an attacker to discover the details of a private asset and potentially access it through the generated preview link, exposing confidential content without proper authorization.

Affected Systems

The issue touches Craft CMS (CNU 4.0.0-RC1 through 4.17.7 and 5.0.0-RC1 through 5.9.13). These versions are affected; the fix is implemented in 4.17.8 and 5.9.14.

Risk and Exploitability

The flaw carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is not available and the vulnerability is not listed as a known exploited vulnerability by CISA. Attackers need to be authenticated as a Control Panel user but do not require any special rights beyond a standard user account. Once authenticated, the attacker can request a preview for any private asset, gaining access to its signed preview link. The risk is moderate because the attack requires a compromised or legitimate account with insufficient asset‑view permissions, but the impact is significant as it permits disclosure of private asset content.

Generated by OpenCVE AI on June 21, 2026 at 17:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 4.17.8 or later, or 5.9.14 or later to apply the vendor patch that resolves the missing authorization.
  • Review and tighten asset‑view permissions in the Control Panel to ensure only authorized users can view private assets, reducing the potential impact of any future authorization flaws.
  • If an immediate upgrade is not possible, block or restrict access to the assets/preview-thumb endpoint using web‑server or firewall rules so that only authenticated users with appropriate permissions can reach it.

Generated by OpenCVE AI on June 21, 2026 at 17:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Wed, 24 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview link for that private asset, because no asset-view permission check is performed before preview generation. This affects versions >= 4.0.0-RC1, <= 4.17.7 and >= 5.0.0-RC1, <= 5.9.13, and is fixed in 4.17.8 and 5.9.14.
Title Craft CMS - Missing Authorization in assets/preview-thumb Endpoint
First Time appeared Juzaweb
Juzaweb cms
Weaknesses CWE-862
CPEs cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:*
Vendors & Products Juzaweb
Juzaweb cms
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-24T15:40:58.527Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56384

cve-icon Vulnrichment

Updated: 2026-06-24T15:40:46.506Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:17Z

Weaknesses