Impact
Craft CMS contains an authorization bypass in the assets/preview-file endpoint that does not enforce per‑asset view permissions before returning preview data. An authenticated user with low privileges can request a controlled assetId that they are not authorized to view and still receive the previewHtml response, which includes a private preview image route containing the target assetId. This flaw allows a confidentiality breach of private assets that should be restricted to higher‑privileged users.
Affected Systems
The affected product is Craft CMS. Versions 4.0.0‑RC1 through 4.17.7 inclusive, and 5.0.0‑RC1 through 5.9.13 inclusive, are vulnerable.
Risk and Exploitability
The CVSS score of 5.3 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, but the flaw requires only an authenticated low‑privileged user and can be exploited via the publicly reachable assets/preview-file endpoint. Attackers can exfiltrate sensitive preview content, potentially exposing private assets and routing information.
OpenCVE Enrichment