Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
An unauthenticated user can call assets/generate-transform with a private assetId, receive a valid transform URL, and fetch transformed image bytes.
The endpoint is anonymous and does not enforce per-asset authorization before returning the transform URL.
Details
Root cause:
- Anonymous endpoint accepts user-controlled asset reference.
- It creates and returns a transform URL for that asset without checking access rights.
- If the transform output is reachable, guest users can read content derived from private assets.
Who is impacted:
- Installations where private source assets can be transformed and transform URLs are reachable.
Security consequence:
- Anonymous users can obtain content derived from private assets without authentication.
Resources
https://github.com/craftcms/cms/commit/7290d91639e
AnalysisAI
An unauthenticated user can exploit the /assets/generate-transform endpoint in Craft CMS to generate valid transform URLs for private assets without authorization checks, allowing anonymous access to transformed image content that should be restricted. This authentication bypass affects Craft CMS versions prior to 4.17.8 and 5.9.14, enabling attackers to derive and view content from private assets through the publicly accessible transform endpoint. The vulnerability has a published patch and advisory available from the vendor.
Technical ContextAI
Craft CMS (affected CPE: pkg:composer/craftcms_cms) implements an asset transformation system via the /assets/generate-transform endpoint. The endpoint accepts user-controlled asset references (assetId parameters) and generates transform URLs without enforcing per-asset authorization checks. The root cause is classified under CWE-639 (Authorization Bypass Through User-Controlled Key), where the application constructs and returns a transform URL for any asset reference provided, regardless of access permissions. The vulnerability exists because the endpoint is marked as anonymous and lacks access control verification before processing private assets. If the generated transform output is reachable via the web server, unauthenticated clients can fetch transformed image bytes, effectively bypassing the asset access control model.
RemediationAI
Immediately upgrade Craft CMS to version 4.17.8 or later if running the 4.x branch, or to version 5.9.14 or later if running the 5.x branch (see https://github.com/craftcms/cms/releases/tag/4.17.8 and https://github.com/craftcms/cms/releases/tag/5.9.14). The patch adds authorization checks to the /assets/generate-transform endpoint to validate user access before generating transform URLs. As a temporary workaround pending upgrade, restrict network access to the /assets/generate-transform endpoint at the reverse proxy or web server level, limiting requests to authenticated clients only, and audit existing transform URLs that may have been generated for private assets to determine exposure.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14940
GHSA-5pgf-h923-m958