CVE-2026-33158 | THREATINT

Description

Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-24 | Updated 2026-03-24 | Assigner GitHub_M

MEDIUM: 4.9CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

>= 4.0.0-RC1, < 4.17.8

affected

>= 5.0.0-RC1, < 5.9.14

affected

References

github.com/...ms/cms/security/advisories/GHSA-3pvf-vxrv-hh9c

github.com/...ommit/7290d91639e5e3a4f7e221dfbef95c9b77331860

github.com/craftcms/cms/releases/tag/4.17.8

github.com/craftcms/cms/releases/tag/5.9.14

cve.org (CVE-2026-33158)

nvd.nist.gov (CVE-2026-33158)

Download JSON