Unauthorized Disclosure Vulnerability in Craft CMS by Pixel & Tonic
CVE-2026-33158
4.9MEDIUM
What is CVE-2026-33158?
Craft CMS, a widely used content management system developed by Pixel & Tonic, contains a vulnerability that allows low-privileged authenticated users to access private asset content. This issue arises due to the lack of proper authorization checks when accessing the 'assets/edit-image' endpoint. By entering an arbitrary assetId, unauthorized users can retrieve sensitive image data or redirect to a preview, posing a significant risk to the confidentiality of private files. This vulnerability affects versions 4.0.0-RC1 up to 4.17.7 and 5.0.0-RC1 up to 5.9.13. It has been resolved in versions 4.17.8 and 5.9.14.
Affected Version(s)
cms >= 4.0.0-RC1, < 4.17.8 < 4.0.0-RC1, 4.17.8
cms >= 5.0.0-RC1, < 5.9.14 < 5.0.0-RC1, 5.9.14