Missing Authorization Vulnerability in Craft CMS
CVE-2026-56384

5.3MEDIUM

Key Information:

Vendor: Craftcms
Status: Cms
Vendor: CVE Published:; 21 June 2026

What is CVE-2026-56384?

Craft CMS contains a vulnerability in the assets/preview-thumb endpoint, where a Control Panel user lacking permissions can exploit the absence of an asset-view permission check. By providing an attacker-controlled assetId, an unauthorized user could obtain a signed fallback transform preview link for private assets. This flaw, affecting Craft CMS versions from 4.0.0-RC1 to 4.17.7 and from 5.0.0-RC1 to 5.9.13, poses a significant risk as it permits unauthorized access to potentially sensitive content. The issue has been resolved in versions 4.17.8 and 5.9.14.

Affected Version(s)

cms 4.0.0-RC1 < 4.17.8

cms 5.0.0-RC1 < 5.9.14

cms 4.17.8

References

https://github.com/craftcms/cms/security/advisories/GHSA-...

vendor-advisory

https://github.com/craftcms/cms/commit/d30df3112220db1ffd...

patch

https://www.vulncheck.com/advisories/craft-cms-missing-au...

third-party-advisory

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 21, 2026
Vulnerability Reserved
Jun 21, 2026

Credit

Susen2

CVE-2026-56384 Data

JSON

Craftcms

What is CVE-2026-56384?

Affected Version(s)

References

CVSS V4

Timeline

Credit