Content Management System Vulnerability in Craft CMS
CVE-2026-33161

1.3LOW

Key Information:

Vendor

Craftcms

Status
Cms
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33161?

Craft CMS contains a vulnerability that allows low-privileged authenticated users to access private asset data through the assets/image-editor endpoint. This exploitation occurs without appropriate authorization validation for individual assets, enabling the retrieval of private editing metadata, including focal point data, even when the user lacks permission to view the asset. The issue affects versions from 4.0.0-RC1 up until just before 4.17.8 and from 5.0.0-RC1 until before 5.9.14. Users are encouraged to upgrade to the patched versions 4.17.8 or 5.9.14 to mitigate this risk.

Affected Version(s)

cms >= 4.0.0-RC1, < 4.17.8 < 4.0.0-RC1, 4.17.8

cms >= 5.0.0-RC1, < 5.9.14 < 5.0.0-RC1, 5.9.14

References

https://github.com/craftcms/cms/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/craftcms/cms/commit/d30df3112220db1ffd...
x_refsource_MISC
https://github.com/craftcms/cms/releases/tag/4.17.8
x_refsource_MISC

CVSS V4

Score:
1.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.