Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint.
The endpoint returns private editing metadata without per-asset authorization validation.
Root-cause analysis:
actionImageEditor()acceptsassetIdfrom the request body.- The asset is loaded, and the focal-point data is read.
- Response returns
htmlandfocalPoint. - No explicit authorization check is applied before the response.
Impact
Affected deployments:
- Craft sites where asset edit metadata should remain restricted to authorized users.
Security consequence:
- Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.
AnalysisAI
An authorization bypass vulnerability in Craft CMS allows low-privileged authenticated users to extract private asset editing metadata, including focal point data, from assets they do not have permission to view. The vulnerability affects Craft CMS versions prior to 4.17.8 and 5.9.14, where the actionImageEditor endpoint fails to perform per-asset authorization checks before returning sensitive editor context. While no CVSS score or EPSS metric is currently published, this information disclosure vulnerability enables attackers to gain unauthorized insight into restricted asset configurations.
Technical ContextAI
The vulnerability exists in the Craft CMS image editor endpoint (assets/image-editor) which is implemented in the actionImageEditor() method. Craft CMS is a PHP-based content management system distributed via Composer as pkg:composer/craftcms_cms. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the endpoint accepts an assetId parameter from the request body and returns editor metadata including focal point data without validating whether the authenticated user has authorization to access that specific asset. The authorization check is missing at the point where private asset editing metadata is retrieved and returned in the response, creating a classic broken access control flaw in the asset management subsystem.
RemediationAI
Upgrade Craft CMS to version 4.17.8 or later for the 4.x branch, or version 5.9.14 or later for the 5.x branch, as released and documented in https://github.com/craftcms/cms/releases/tag/4.17.8 and https://github.com/craftcms/cms/releases/tag/5.9.14. The patch implements per-asset authorization validation in the actionImageEditor() endpoint before returning sensitive metadata. Until patching is possible, restrict access to the assets/image-editor endpoint to users with explicit asset management permissions via application-level role controls or reverse proxy rules, and audit access logs for unauthorized attempts to retrieve private asset editor data. Review asset permission configurations to ensure low-privileged users cannot enumerate private asset IDs.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14942
GHSA-vgjg-248p-rfm2