Description
Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Craft CMS contains an authorization bypass in the assets/preview-file endpoint that does not enforce per‑asset view permissions before returning preview data. An authenticated user with low privileges can request a controlled assetId that they are not authorized to view and still receive the previewHtml response, which includes a private preview image route containing the target assetId. This flaw allows a confidentiality breach of private assets that should be restricted to higher‑privileged users.

Affected Systems

The affected product is Craft CMS. Versions 4.0.0‑RC1 through 4.17.7 inclusive, and 5.0.0‑RC1 through 5.9.13 inclusive, are vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, but the flaw requires only an authenticated low‑privileged user and can be exploited via the publicly reachable assets/preview-file endpoint. Attackers can exfiltrate sensitive preview content, potentially exposing private assets and routing information.

Generated by OpenCVE AI on June 21, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Craft CMS to version 5.9.14 or 4.17.8 and later.
  • If a patch is not immediately available, restrict access to the /assets/preview-file route or implement endpoint‑level authorization checks to enforce per‑asset view permissions.
  • Review asset permission configurations to ensure only authorized roles can request previews and audit logs for unauthorized preview attempts.

Generated by OpenCVE AI on June 21, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Craftcms
Craftcms craftcms
Vendors & Products Craftcms
Craftcms craftcms

Mon, 22 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Description Craft CMS versions >= 5.0.0-RC1, <= 5.9.13 and >= 4.0.0-RC1, <= 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an asset they are not permitted to view and still receive preview response data (previewHtml), including a private preview image route containing the target private assetId. Fixed in 5.9.14 and 4.17.8.
Title Craft CMS - Authorization Bypass in assets/preview-file Endpoint
First Time appeared Juzaweb
Juzaweb cms
Weaknesses CWE-639
CPEs cpe:2.3:a:juzaweb:cms:*:*:*:*:*:*:*:*
Vendors & Products Juzaweb
Juzaweb cms
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-22T12:18:10.953Z

Reserved: 2026-06-21T02:05:47.495Z

Link: CVE-2026-56385

cve-icon Vulnrichment

Updated: 2026-06-22T12:18:07.896Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:08:16Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key