CVE-2026-33160: Unauthenticated Information Disclosure via Authorization Bypass in Craft CMS
Vulnerability ID: CVE-2026-33160
CVSS Score: 2.7
Published: 2026-03-24
Craft CMS suffers from a missing authorization vulnerability in its image transformation endpoint. Unauthenticated attackers can generate and retrieve transformed versions of private assets by exploiting an insecure direct object reference (IDOR) flaw in the AssetsController.
TL;DR
Unauthenticated users can view private assets by exploiting a missing authorization check in the Craft CMS image transformation endpoint, leading to information disclosure.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-862 / CWE-639
- Attack Vector: Network
- CVSS v4.0 Score: 2.7
- Impact: Information Disclosure
- Exploit Status: Proof of Concept
- Authentication Required: None
Affected Systems
- Craft CMS 4.x
- Craft CMS 5.x
-
Craft CMS: 4.0.0-RC1 < 4.17.8 (Fixed in:
4.17.8) -
Craft CMS: 5.0.0-RC1 < 5.9.14 (Fixed in:
5.9.14)
Code Analysis
Commit: 7290d91
Enforce accessCp permission in actionGenerateTransform and apply volume-level permission checks to secondary asset endpoints.
Mitigation Strategies
- Upgrade Craft CMS to version 4.17.8 or 5.9.14
- Audit user group configurations for 'accessCp' permission
- Implement WAF rules to restrict access to the transformation endpoint
Remediation Steps:
- Backup the current Craft CMS database and application files.
- Execute the composer update command to fetch the latest patched version.
- Verify the update by checking the application version in the Control Panel.
- Test standard image transformation workflows to ensure compatibility.
References
- GHSA-5pgf-h923-m958: Information Disclosure in Craft CMS
- Fix Commit: 7290d91639e5e3a4f7e221dfbef95c9b77331860
- CVE-2026-33160 Record
Read the full report for CVE-2026-33160 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)