Skip to main content

CVE-2026-33158

| EUVDEUVD-2026-14936 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-24 https://github.com/craftcms/cms GHSA-3pvf-vxrv-hh9c
4.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:00 euvd
EUVD-2026-14936
Analysis Generated
Mar 24, 2026 - 17:00 vuln.today
Patch released
Mar 24, 2026 - 17:00 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:53 nvd
MEDIUM 4.9

DescriptionGitHub Advisory

Summary

A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view.

The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files.

Details

Root cause:

  • A user-controlled object reference (assetId) is used to load and return sensitive content.
  • The action does not verify whether the current user is authorized to view that asset.
  • This creates an authenticated IDOR / authorization bypass.

Impact

  • Craft installations where private/non-public assets exist and low-privileged users can authenticate.

Resources

https://github.com/craftcms/cms/commit/7290d91639e

AnalysisAI

An authenticated Insecure Direct Object Reference (IDOR) vulnerability in Craft CMS allows low-privileged users to read private asset content by calling the assets/edit-image endpoint with an arbitrary assetId parameter they are not authorized to view. The endpoint fails to enforce per-asset authorization checks before returning image bytes or preview redirects, enabling unauthorized disclosure of sensitive files. A patch is available from the vendor for affected versions (Craft CMS 4.17.8 and 5.9.14), and the vulnerability affects all Craft CMS installations where private assets exist and low-privileged authenticated users have access.

Technical ContextAI

Craft CMS is a content management system built on PHP and distributed via Composer (pkg:composer/craftcms_cms). The vulnerability resides in the assets/edit-image action endpoint, which accepts a user-controlled assetId parameter to load and return asset content. The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a variant of IDOR where the application fails to validate whether the authenticated user has permission to access the requested resource. The endpoint retrieves asset data based solely on the assetId without verifying the user's authorization scope, treating the assetId as a direct object reference without proper access control enforcement. This is a classic authorization flaw where authentication (confirming user identity) exists, but authorization (confirming user permissions) is absent.

RemediationAI

Immediately upgrade Craft CMS to version 4.17.8 or later (for 4.x installations) or version 5.9.14 or later (for 5.x installations) by applying the patch available at https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860. If immediate patching is not feasible, implement temporary compensating controls by restricting user access to the assets/edit-image endpoint at the web server or reverse proxy level (via IP allowlisting or disable low-privileged user accounts temporarily), and audit asset access logs for unauthorized assetId enumeration attempts. Additionally, review Craft CMS access control policies to ensure private assets are properly marked and verify that low-privileged user roles have appropriate asset visibility restrictions in place.

Share

CVE-2026-33158 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy