Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
A low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view.
The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files.
Details
Root cause:
- A user-controlled object reference (
assetId) is used to load and return sensitive content. - The action does not verify whether the current user is authorized to view that asset.
- This creates an authenticated IDOR / authorization bypass.
Impact
- Craft installations where private/non-public assets exist and low-privileged users can authenticate.
Resources
https://github.com/craftcms/cms/commit/7290d91639e
AnalysisAI
An authenticated Insecure Direct Object Reference (IDOR) vulnerability in Craft CMS allows low-privileged users to read private asset content by calling the assets/edit-image endpoint with an arbitrary assetId parameter they are not authorized to view. The endpoint fails to enforce per-asset authorization checks before returning image bytes or preview redirects, enabling unauthorized disclosure of sensitive files. A patch is available from the vendor for affected versions (Craft CMS 4.17.8 and 5.9.14), and the vulnerability affects all Craft CMS installations where private assets exist and low-privileged authenticated users have access.
Technical ContextAI
Craft CMS is a content management system built on PHP and distributed via Composer (pkg:composer/craftcms_cms). The vulnerability resides in the assets/edit-image action endpoint, which accepts a user-controlled assetId parameter to load and return asset content. The root cause is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a variant of IDOR where the application fails to validate whether the authenticated user has permission to access the requested resource. The endpoint retrieves asset data based solely on the assetId without verifying the user's authorization scope, treating the assetId as a direct object reference without proper access control enforcement. This is a classic authorization flaw where authentication (confirming user identity) exists, but authorization (confirming user permissions) is absent.
RemediationAI
Immediately upgrade Craft CMS to version 4.17.8 or later (for 4.x installations) or version 5.9.14 or later (for 5.x installations) by applying the patch available at https://github.com/craftcms/cms/commit/7290d91639e5e3a4f7e221dfbef95c9b77331860. If immediate patching is not feasible, implement temporary compensating controls by restricting user access to the assets/edit-image endpoint at the web server or reverse proxy level (via IP allowlisting or disable low-privileged user accounts temporarily), and audit asset access logs for unauthorized assetId enumeration attempts. Additionally, review Craft CMS access control policies to ensure private assets are properly marked and verify that low-privileged user roles have appropriate asset visibility restrictions in place.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14936
GHSA-3pvf-vxrv-hh9c