Skip to main content

CVE-2026-33160

| EUVDEUVD-2026-14940 LOW
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-24 https://github.com/craftcms/cms GHSA-5pgf-h923-m958
2.7
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
2.7 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:00 euvd
EUVD-2026-14940
Analysis Generated
Mar 24, 2026 - 17:00 vuln.today
Patch released
Mar 24, 2026 - 17:00 nvd
Patch available
CVE Published
Mar 24, 2026 - 16:59 nvd
LOW 2.7

DescriptionGitHub Advisory

Summary

An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes.

The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL.

Details

Root cause:

  • Anonymous endpoint accepts user-controlled asset reference.
  • It creates and returns a transform URL for that asset without checking access rights.
  • If the transform output is reachable, guest users can read content derived from private assets.

Who is impacted:

  • Installations where private source assets can be transformed and transform URLs are reachable.

Security consequence:

  • Anonymous users can obtain content derived from private assets without authentication.

Resources

https://github.com/craftcms/cms/commit/7290d91639e

AnalysisAI

An unauthenticated user can exploit the /assets/generate-transform endpoint in Craft CMS to generate valid transform URLs for private assets without authorization checks, allowing anonymous access to transformed image content that should be restricted. This authentication bypass affects Craft CMS versions prior to 4.17.8 and 5.9.14, enabling attackers to derive and view content from private assets through the publicly accessible transform endpoint. The vulnerability has a published patch and advisory available from the vendor.

Technical ContextAI

Craft CMS (affected CPE: pkg:composer/craftcms_cms) implements an asset transformation system via the /assets/generate-transform endpoint. The endpoint accepts user-controlled asset references (assetId parameters) and generates transform URLs without enforcing per-asset authorization checks. The root cause is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where the application constructs and returns a transform URL for any asset reference provided, regardless of access permissions. The vulnerability exists because the endpoint is marked as anonymous and lacks access control verification before processing private assets. If the generated transform output is reachable via the web server, unauthenticated clients can fetch transformed image bytes, effectively bypassing the asset access control model.

RemediationAI

Immediately upgrade Craft CMS to version 4.17.8 or later if running the 4.x branch, or to version 5.9.14 or later if running the 5.x branch (see https://github.com/craftcms/cms/releases/tag/4.17.8 and https://github.com/craftcms/cms/releases/tag/5.9.14). The patch adds authorization checks to the /assets/generate-transform endpoint to validate user access before generating transform URLs. As a temporary workaround pending upgrade, restrict network access to the /assets/generate-transform endpoint at the reverse proxy or web server level, limiting requests to authenticated clients only, and audit existing transform URLs that may have been generated for private assets to determine exposure.

Share

CVE-2026-33160 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy