DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33161: CVE-2026-33161: Insecure Direct Object Reference in Craft CMS AssetsController

#security #cve #cybersecurity

CVE-2026-33161: Insecure Direct Object Reference in Craft CMS AssetsController

Vulnerability ID: CVE-2026-33161
CVSS Score: 1.3
Published: 2026-03-24

Craft CMS versions 4.x before 4.17.8 and 5.x before 5.9.14 contain an Insecure Direct Object Reference (IDOR) vulnerability in the AssetsController. A failure to validate per-asset authorization allows low-privileged authenticated users to access internal metadata for private assets.

TL;DR

Low-privileged authenticated attackers can exploit an IDOR in the Craft CMS image editor endpoint to extract sensitive asset metadata, including focal points, due to missing volume-level authorization checks.

Technical Details

  • CWE ID: CWE-862, CWE-200
  • Attack Vector: Network
  • Authentication: Required (Low Privilege)
  • CVSS v4.0 Score: 1.3
  • Impact: Information Disclosure
  • Exploit Status: Unexploited / No Public PoC
  • CISA KEV: Not Listed

Affected Systems

  • Craft CMS 4.x
  • Craft CMS 5.x
  • cms: 4.0.0-RC1 to < 4.17.8 (Fixed in: 4.17.8)
  • cms: 5.0.0-RC1 to < 5.9.14 (Fixed in: 5.9.14)

Code Analysis

Commit: d30df31

Enforce volume permission requirements on image editor endpoint

@@ -849,6 +849,13 @@ public function actionImageEditor(): Response
             throw new BadRequestHttpException(Craft::t('app', 'The asset you’re trying to edit does not exist.'));
         }

+        $this->requireVolumePermissionByAsset('editImages', $asset);
+        $this->requirePeerVolumePermissionByAsset('editPeerImages', $asset);
+
+        if (!$asset->getSupportsImageEditor()) {
+            throw new BadRequestHttpException('Unsupported file format');
+        }
+
         $focal = $asset->getHasFocalPoint() ? $asset->getFocalPoint() : null;
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update Craft CMS to the latest patched version
  • Audit and restrict user group permissions for the Control Panel and Asset Volumes
  • Implement rate limiting on internal API endpoints to disrupt enumeration attacks

Remediation Steps:

  1. Backup the Craft CMS database and application files.
  2. Execute the composer update command to upgrade craftcms/cms to version 4.17.8 or 5.9.14.
  3. Review the User Groups configuration in the Control Panel.
  4. Revoke 'Access Control Panel' and 'Asset Volume' permissions from non-essential users.

References

Read the full report for CVE-2026-33161 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)