Skip to main content

CVE-2026-33161

| EUVDEUVD-2026-14942 LOW
Information Exposure (CWE-200)
2026-03-24 https://github.com/craftcms/cms GHSA-vgjg-248p-rfm2
1.3
CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
1.3 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 24, 2026 - 17:30 euvd
EUVD-2026-14942
Analysis Generated
Mar 24, 2026 - 17:30 vuln.today
Patch released
Mar 24, 2026 - 17:30 nvd
Patch available
CVE Published
Mar 24, 2026 - 17:27 nvd
LOW 1.3

DescriptionGitHub Advisory

Summary

A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint.

The endpoint returns private editing metadata without per-asset authorization validation.

Root-cause analysis:

  1. actionImageEditor() accepts assetId from the request body.
  2. The asset is loaded, and the focal-point data is read.
  3. Response returns html and focalPoint.
  4. No explicit authorization check is applied before the response.

Impact

Affected deployments:

  • Craft sites where asset edit metadata should remain restricted to authorized users.

Security consequence:

  • Unauthorized users can extract private editor metadata and related editor context for inaccessible assets.

AnalysisAI

An authorization bypass vulnerability in Craft CMS allows low-privileged authenticated users to extract private asset editing metadata, including focal point data, from assets they do not have permission to view. The vulnerability affects Craft CMS versions prior to 4.17.8 and 5.9.14, where the actionImageEditor endpoint fails to perform per-asset authorization checks before returning sensitive editor context. While no CVSS score or EPSS metric is currently published, this information disclosure vulnerability enables attackers to gain unauthorized insight into restricted asset configurations.

Technical ContextAI

The vulnerability exists in the Craft CMS image editor endpoint (assets/image-editor) which is implemented in the actionImageEditor() method. Craft CMS is a PHP-based content management system distributed via Composer as pkg:composer/craftcms_cms. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where the endpoint accepts an assetId parameter from the request body and returns editor metadata including focal point data without validating whether the authenticated user has authorization to access that specific asset. The authorization check is missing at the point where private asset editing metadata is retrieved and returned in the response, creating a classic broken access control flaw in the asset management subsystem.

RemediationAI

Upgrade Craft CMS to version 4.17.8 or later for the 4.x branch, or version 5.9.14 or later for the 5.x branch, as released and documented in https://github.com/craftcms/cms/releases/tag/4.17.8 and https://github.com/craftcms/cms/releases/tag/5.9.14. The patch implements per-asset authorization validation in the actionImageEditor() endpoint before returning sensitive metadata. Until patching is possible, restrict access to the assets/image-editor endpoint to users with explicit asset management permissions via application-level role controls or reverse proxy rules, and audit access logs for unauthorized attempts to retrieve private asset editor data. Review asset permission configurations to ensure low-privileged users cannot enumerate private asset IDs.

Share

CVE-2026-33161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy