Unauthenticated Access Vulnerability in Craft CMS Versions
CVE-2026-33160
2.7LOW
What is CVE-2026-33160?
Craft CMS, a popular content management system, is affected by a vulnerability that allows unauthenticated users to access private asset transformations. Specifically, users can exploit the assets/generate-transform endpoint without proper authorization, obtaining valid URLs for transformed images associated with private assetIds. This issue poses risks as it could lead to unauthorized access to sensitive image content. The vulnerability has been addressed in Craft CMS versions 4.17.8 and 5.9.14.
Affected Version(s)
cms >= 4.0.0-RC1, < 4.17.8 < 4.0.0-RC1, 4.17.8
cms >= 5.0.0-RC1, < 5.9.14 < 5.0.0-RC1, 5.9.14